What is autorun.inf
Windows has two “features” called “autorun” and “autoplay”. Autoplay automatically reads a removable media (CDs, DVDs, USB flash drives) and launches a program to play them (like a media player for playing a video DVD or an audio CD). It is pretty harmless (unless your media playing application has some security bugs), however, Autorun is a bigger threat to computer security. When a removable media is inserted, Windows looks for a file called “autorun.inf” in its root directory and follows its directions, like AUTOMATICALLY LAUNCHING AN EXECUTABLE FILE that is on that media. However, in the days of recordable CDs and USB flash drives it has become a way for viruses to spread.
It’s all start when you plug your flash drive into some infected computer, the virus on that computer creates a few files on your flash drive and when you come home and plug the drive into your computer and Windows automatically launches that virus. The exploit involves creating an autorun.inf file that adds a new default command to a USB flash drive’s context menu. In Windows XP, even if you receive the dialog and then cancel it, the program will be launched when you double click on the USB flash drive in My Computer. While in Windows Vista, if you have “take no action”, the flash drive doesn’t automatically launch any programs when first inserted. But double-clicking the flash drive icon in My Computer will launch whatever commands in autorun.inf (which the attacker has made the default command, in place of “Open”). Usually, attacker/ hacker could make a worm that (1) spreads itself to all your drives when launched in this manner and then (2) displays the drive contents in a window, as expected. This would make it appear that nothing unusual had happened.
The moral of this story is don’t double click your USB flash drive in My Computer or using “Open folder to view files” option when you receive autoplay dialogue. Unless you are very sure that your USB flash drive are safe from virus. There are many way to overcome autorun problem such as disable autoplay and autorun feature using windows registry. However, I prefer not to mess with registry. There are some antivirus that can detect malicious autorun. For me, I use two method which is (1) delete malicious files and autorun manually, (2) using an application called AutorunEater. In my next post, I will show how to delete malicious files and autorun manually and a little explanation about AutorunEater.
