On the front page of MSN.com today, there’s details about a new worm, Conficker, that spreads using the good old fashioned autorun.inf tricks. It infects USB drives so that, when you plug the drive into another computer, it automatically runs and infects the machine. The article mentioned a post on Nick Brown’s blog that instructs you on various ways to disable autorun.inf files and gives a .REG file for disabling autorun.inf.
Here’s the .REG file:
REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf] @="@SYS:DoesNotExist"
Recently, I’ve started to like taking small registry hacks and turning them into functions, so here’s a pair of functions that I wrote to automate this registry setting with PowerShell.
function Disable-AutoRun { $item = Get-Item ` "REGISTRY::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\IniFileMapping\AutoRun.inf" ` -ErrorAction SilentlyContinue if (-not $item) { $item = New-Item "REGISTRY::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\IniFileMapping\AutoRun.inf" } Set-ItemProperty $item.PSPath "(default)" "@SYS:DoesNotExist" }
Here’s Nick’s explanation of how it works:
This hack tells Windows to treat AUTORUN.INF as if it were a configuration file from a pre-Windows 95 application. IniFileMapping is a key which tells Windows how to handle the .INI files which those applications typically used to store their configuration data (before the registry existed). In this case it says "whenever you have to handle a file called AUTORUN.INF, don’t use the values from the file. You’ll find alternative values at HKEY_LOCAL_MACHINE\SOFTWARE\DoesNotExist." And since that key, er, does not exist, it’s as if AUTORUN.INF is completely empty, and so nothing autoruns, and nothing is added to the Explorer double-click action. Result: worms cannot get in – unless you start double-clicking executables to see what they do, in which case, you deserve to have your PC infected.
In case you want to enable autorun again, you can use this function:
function Enable-AutoRun { Remove-Item "REGISTRY::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\IniFileMapping\AutoRun.inf" -Force }
Hope this Helps,
James Brundage [MSFT]
0 comments