Computer Tips and Tricks
Get the latest posts via rss

Thursday 26 November 2009

Help combat Autorun Viruses

There are Several Viruses that use Autorun.inf files on removal drives that launch a virus file stored in the Recycle bin to infect PCs. They also copy the virus to the c:\windows\ and c:\windows\system32\ folders.

Here is a list of just some of the viruses using this method as identified by Symantec.
  • W32.IRCBot
  • W32.Netsky.gen@mm
  • W32Downadup.B
  • Hacktool.flooder
and variants of each.

 To protect against these use the following methods:
  • Disable System Restore and Recycler.
  • Block Autorun.inf in network drives using Windows Server 2008 File Filtering.
  • Autorun Via Group Policy if on a network.
  • Disable Autorun Registry Keys below:
Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoDriveTypeAutoRun"=dword:000000ff

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoDriveTypeAutoRun"=dword:000000ff

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom]
"Autorun"=dword:00000000

(Copy and paste the above in to notepad and save as a .reg file. Import in to the registry (Don't forget to backup before hand.)

This can be automated with a batch file using the regedit /s filename.reg command.

  • Disable Autorun via Application Control (Available in third party software such as Symantec Endpoing Security.)
  • Run Full Anti virus Scans Daily until the outbreak is contained. Then run a weekly scan.
  • Make sure Patch KB967715 is installed via Windows Updates on Windows XP to ensure Autorun is patched.
  • Set Anti virus software to Delete viruses upon detection. Autorun file is then rendered a useless text file.
NOTE: Always check that you have Anti Virus software installed, that it is fully functional and up to date. However beware of fake Anti Virus programs.

I recommend Avast Home Anti Virus or AVG. Both are free, automatically updated and very effective.

Emalf

1 comments:

Andy said...

Very useful information, many thanks.

Post a Comment