Could you please recommend provide your recommendation to test for an ‘autorun’ infection?
I don’t suspect infection on my own computer. However I am indeed curious with all the hype surrounding pen-drive and USB memory stick infections recently.
Scans with the latest updates for Avast, MBAM, Superantispyware, ZA Anti-spyware, HJT, Spybot’s Rootalyzer, Blacklight and Spybot haven’t detected anything.
Are there any other useful applications or programs to detect an autorun infection? Are there any files one can look at (eg. in the C:\ directory) to ascertain quickly whether there is any suspicion?
Browsing on this forum and google produced a lot of options.
However I know I can rely on the Avast Gurus here. They always provide fast, well-informed and friendly advice!
Thank you for the response. As far as I know I don’t have any infection symptoms. Rather I was just curious to see whether one can check certain areas (eg. autorun.inf) as you suggested.
A quick search located autorun.inf in the following directories:
C:\IBMTOOLS\APPS\DVDPLAY
C:\IBMTOOLS\APPS\NORTONAV
C:\IBMTOOLS\DRIVERS\VIDEO
C:\Program Files\HP\Digital Imaging{49FB3…}
C:\Program Files\HP\Digital Imaging{5B79C…}
I uploaded each file to virustotal.com and selected re-check file. No results of infection at all were detected.
Note: I also selected ‘show hidden and system files’ in Window$ Explorer.
Do you know of any programs which can also detect such infections? For example there are specialist rootkit programs which can detect rootkits.
We had an in-depth discussion of the protection against these forms of malware (aprrox. 10% of the known malware is autorun infection related, just like the floppy infections for Win 95 and 98 in former days) here: http://forum.avast.com/index.php?topic=42967.0
Microsoft only addressed this feature fully where their new OS Vista is concerned.
My view on the matter is that one only need autorun/autoplay for starting CD’s and for games etc. and not for pendrives, network shares etc. Microsoft still considers this sometimes dangerous feature (malware executables run under autorun) as a “user’s choice”, but the underlying registry settings can be that complicated that it cannot be left for the average user to decide, and they should have taken this out of the hands of the user long time ago, but again “click and play-ease” has won over security, again they are gradually starting to rethink this credo.
NoDriveTypeAutoRun values
That Autorun.inf files are being evaluated despite of the fact that NoDriveTypeAutoRun prescribtions are different, can be shown accordingly. According to recent Microsoft documents ( http://support.microsoft.com/kb/953252 ) the following bit-values go with NoDriveTypeAutoRun (values should be added up to reach to the demanded total value):
bit 0 (value = 0x01) Disables AutoPlay on drives of unknown type
bit 1 (value = 0x02) unknown/not used?
bit 2 (value = 0x04) Disables AutoPlay on removable drives
bit 3 (value = 0x08) Disables AutoPlay on fixed drives
bit 4 (value = 0x10) Disables AutoPlay on network drives
bit 5 (value = 0x20) Disables AutoPlay on CD-ROM drives
bit 6 (value = 0x40) Disables AutoPlay on RAM disks
bit 7 (value = 0x80) Disables AutoPlay on drives of unknown type
Meaning a XP SP2 and SP3 default value of 0x91 is standard AutoPlay (or AutoRun, the difference between both terms is bleak) for network drives is off; still makes worms spread! Conclusion, it does not make sense to try to stop these worms under XP or older to start tweaking wth the policy editor or registry editor, until MS fully patches Shell32.dll, which was only done with software for Vista!
