Archives

All posts for the month April, 2009

Windows operating system has a number of ways on how to automatically run programs with a little user intervention. The “Conficker” worm uses a number of techniques for propagation, one such technique is the use of removable storage devices such as usb keys. Conficker was not the first to use this technique as the “Sality” virus has been seen to use the autorun feature around a year ago.

Looking into the autorun.inf file of an infected usb key by the Sality virus shows that is uses a number of commands to execute the same virus. The code below has been cleaned up and modified with comments but basically it uses four methods to execute the same malware.

[AutoRun]

; right-click “Open” {double-clicking on drive also opens program1.exe}
shell\open\command = program1.exe
shell\open\default=1

; right-click “AutoPlay”
shell\autoplay\command = program2.exe

; right-click “Install or run program”
open = program3.exe

; right-click “Explore”
shell\explore\command = program4.exe

The diagram below taken from Windows Vista points out the menu commands which runs the relevant program.

Conficker uses the shellexecute command in the autorun.inf file as shown in the example below:

shellexecute = program5.exe

CERT issued an advisory mentioning how to mitigate autorun functionality completely by adding a registry entry as shown below. This text can be saved as a reg file and imported just by double-clicking on it.

REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf]
@=”@SYS:DoesNotExist”

Once the entry has been imported and the machine rebooted, Windows will stop parsing the autorun.inf file located in any existing and new storage devices connecting to your system. Also you will notice that right-clicking on the drive will now only display “open” and “Explore” and both will just open a window when clicked and not executing any programs.

To enable the autorun features all you need to do is delete the entry. This can be easily done by saving the below text as a reg file and importing it.

REGEDIT4
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf]

References:

http://vil.nai.com/vil/content/v_153711.htm
http://vil.nai.com/vil/content/v_153724.htm
http://www.us-cert.gov/cas/techalerts/TA09-020A.html
http://www.symantec.com/security_response/writeup.jsp?docid=2008-042106-1847-99&tabid=2