Hi malware fighters,

I must say that I was shocked when I read the following. The fact that worms like Conficker (Downadup) can spread so easily and successfully through network shares because of an existing bug in Shell32.dll. Microsoft knows/knew about this bug, and developed a patch for it half a year ago, but thought it was not necessary to implement it for Windows XP, Windows 2003 Server or older as a security patch within the monthly patch cycle (they only did that for Vista through MS08-038, re: http://www.microsoft.com/technet/security/bulletin/ms08-038.mspx

NoDriveTypeAutoRun

The bug is found in how the registry value"NoDriveTypeAutoRun" is being processed (this is a “REG_DWORD” value that as a standard is found for every user under the keyl HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, and does not exist system wide as by default). The buggy version of Explorer (actually Shell32.dll) only looks for the registry value at mounting a drive, when a pendrive is being inserted for instance or at mapping a network drive for a certain drive-letter, then it will all work as could be expected.
Only if one doubleclicks the drive inside explorer to open it, or give a right mouse-click or choose to “Open” or “Explore”, in that case Explorer will no longer check “NoDriveTypeAutoRun” but check the contents of a Autorun.inf file in the root of the drive and evaluate this. Just depending on what the contents is of Autorun.inf, it is completely possible to automatically execute a file - and bingo!
So here we have found the real crux of the problem.

AutoRunSettings is a free tool: http://www.uwe-sieber.de/drivetools_e.html#autorun to adopt the registry settings manually,

Import the following into the registry is also a good alternative for XP3 i.m.o.:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf]
@=“@SYS:DoesNotExist”

If you want to disable this functionality/feature completely go here for a tool: http://nick.brown.free.fr/blog/2007/10/memory-stick-worms.html

Stay safe and secure, you all,

polonus

Hi malware fighters,

Here I get support for the thesis that Microsoft does give the right advice on autorun:
http://www.us-cert.gov/cas/techalerts/TA09-020A.html

polonus

---

Thanks for posting this information, Polonus.

The link in the second post will be helpful for those who might otherwise not understand.

---

MS now provides the necessary hotfix and advice for disabling AutoRun in support document KB953252. This is what’s suggested now in Tech Alert TA09-020A. Just scroll down to “Update:” in the tech alert. The procedure in KB953252 is now the recommended one. I’ve updated my computer with the hotfix and modified the Group Policy settings as instructed. The instructions are pretty easy to follow.

Hi Alan Baxter,

Thanks from all here for the heads-up on this essential hotfix, glad to apply,

polonus (for you also aka luntrus)

I am having one heck of a problem on my XP Pro SP3 system with Flash drives.

I can not see any of them when they are inserted.

I use USB Safely Remove and it complains it is visible but it can not be stopped nor removed.

I have tried un-installing USB Safely Remove but it make no difference.

The Flash drives work fine on my XP Home SP3 system.