Help combat Autorun Viruses

There are Several Viruses that use Autorun.inf files on removal drives that launch a virus file stored in the Recycle bin to infect PCs. They also copy the virus to the c:\windows\ and c:\windows\system32\ folders.

Here is a list of just some of the viruses using this method as identified by Symantec.

• W32.IRCBot
• W32.Netsky.gen@mm
• W32Downadup.B
• Hacktool.flooder

and variants of each.

 To protect against these use the following methods:

• Disable System Restore and Recycler.
• Block Autorun.inf in network drives using Windows Server 2008 File Filtering.
• Autorun Via Group Policy if on a network.
• Disable Autorun Registry Keys below:

Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoDriveTypeAutoRun"=dword:000000ff

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoDriveTypeAutoRun"=dword:000000ff

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom]
"Autorun"=dword:00000000

(Copy and paste the above in to notepad and save as a .reg file. Import in to the registry (Don't forget to backup before hand.)

This can be automated with a batch file using the regedit /s filename.reg command.

• Disable Autorun via Application Control (Available in third party software such as Symantec Endpoing Security.)
• Run Full Anti virus Scans Daily until the outbreak is contained. Then run a weekly scan.
• Make sure Patch KB967715 is installed via Windows Updates on Windows XP to ensure Autorun is patched.
• Set Anti virus software to Delete viruses upon detection. Autorun file is then rendered a useless text file.

NOTE: Always check that you have Anti Virus software installed, that it is fully functional and up to date. However beware of fake Anti Virus programs.

I recommend Avast Home Anti Virus or AVG. Both are free, automatically updated and very effective.

Emalf