More on Autorun

Last month, in my post "Autorun: good for you?" I described why I believe you should disable Autorun on all computers in your organization. I also explained how you can do this for XP and Vista computers.

Well, it turns out that Windows will override this setting if you insert a USB drive that your computer has already seen. I received an email from Susan Bradley that links to an article on Nick Brown's blog, "Memory sitck worms." Nick mentions the MountPoints2 registry key, which keeps track of all USB drives your computer has ever seen. I'll admit, I didn't know this existed! I'm glad Nick wrote about it, though.

Nick also includes a little hack that effectively disables all files named "autorun.inf." Interesting, but something in me prefers to make Windows just plain forget about all the drives it's seen. So now I will amend my instructions. In addition to what I wrote earlier, you should also write a small script, and execute it through group policy, that deletes the following key:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2

When I searched for it in my registry, I also found a few others, so maybe you'd want something that would search through the registry and delete them all, although I don't know if such a tool exists -- I've never had a need to look for something like that.

Published 30 October 07 03:12 by Steve Riley

Filed under: risk mitigation, threats, protection, malware

Comments

# Steve Riley on Security : Autorun: good for you? said on October 30, 2007 6:19 PM:

PingBack from http://blogs.technet.com/steriley/archive/2007/09/22/autorun-good-for-you.aspx

# Nick Brown said on October 31, 2007 4:46 AM:

Hi Steve - Nick Brown here, the author of the above-linked blog entry.

I'm skeptical about the impact of systematically deleting MountPoints2. In our experience of fighting memory stick worms, this is necessary but not sufficient. We are not sure what *would* be sufficient, but on general principles, if there's one unknown registry key (googling for "MountPoints2" is remarkably unproductive), I would not be too amazed if there were others.

Turning off Autorun using IniFileMapping is instantaneous, reversible (OK, you need to reboot after you delete the entry), and has precisely definable side-effects. For a busy system administrator, that's three for three...

Nick

PS: Can you change my name from Mike to Nick please? :-))

# Daniele Muscetta said on October 31, 2007 6:50 AM:

I don't know if such a "tool" exists, but it should be pretty easy to do with a line of powershell...

that is, assuming it is "safe" (=does not crashes or breaks anything else... since I see it contains also the "C" drive for example...) to delete everything under MountPoints2....

# Panagis said on October 31, 2007 9:52 AM:

In areas where this kind of attack is relevant, I have applied a GPO that uses Software restriction policies to block execution of any file from any drives that have a drive letter except C:

It has worked really well so far!

# Nick Brown said on October 31, 2007 12:07 PM:

When we were still trying to get "deleting stuff under MountPoints2" to work, I wrote a BAT file to do it, on a remote PC, and without deleting the keys for drive letters A-F, "in case they actually do something". It uses REG.EXE and REGDMP.EXE, and a bit of FOR /F parsing. (I'd love to know what the "CPC" key is for. It has its own 5 or 6 {hexmumble} subkeys.)

Actually I don't think it's a big deal to delete the whole MountPoints2 key. It's per-user, so the first time a user logs on it gets default values for C (etc) anyway. We treat per-user registry data as extremely disposable. But again, as far as we can tell, deleting MountPoints2 is not sufficient for all worms of this type.

Unfortunately, per-user registry data is harder to keep track of in a big network environment. People create local accounts on the PC, their roaming profiles get reset, etc etc.

Something else to worry about: if you have a big shared drive with 500 people accessing it via a mapped drive letter and just one person's infected memory stick creates an Autorun.inf file in there, you can have 500 copies of the virus running by close of business. Panagis' idea looks good to block that too, as long as this shared drive is not also hosting software...

# Panagis said on November 1, 2007 12:28 AM:

Nick - I am running McAfee's VirusScan on all my servers and it has a rule to block the creation of 'autorun.inf' files remotely, meaning any clients connecting to a shared drive on my servers cannot create such a file. You can use that ability to block other file types or you can use FSRM (assuming you're running R2 on your servers) to block file types as well.

# Nick Brown said on November 1, 2007 4:25 AM:

>>a rule to block the creation of 'autorun.inf'

>>files remotely

That sounds like a nice feature. However, we don't run commercial anti-virus software on any of our PCs or servers (apart from real-time checks of incoming content at the SMTP server and Web proxy ), so that's not an option for us.

If I get time to develop my blog, its major theme will be how you can (and/or why you should) run a big Windows network without anti-virus software. I've been developing my own solutions since 1991 and in that time, I think I can honestly say that on our network - now 1800 PCs - we have never lost a single document to malware.

# kgv said on January 4, 2008 1:44 PM:

While there's been discussion of the weaknesses of NoDriveTypeAutorun, I haven't seen any critiques of NoDriveAutoRun. Setting this to 0xffffffff appears to obviate the need for iterating over MountPoints2 (thus making application much easier).

# H. Carvey said on January 7, 2008 8:21 PM:

This is an interesting thread...can someone explain how deleting the MountPoints2 keys from a user's profile affects the spread of USB worms...

Thanks,

Harlan

# Andrey said on January 8, 2008 9:13 AM:

>can someone explain how deleting the MountPoints2

>keys from a user's profile affects the spread of USB

>worms...

The deleting of MountPoints2 keys doesn`t help in any situation, for example, in a case when the worm is already in memory.

In my situation I have my computer at work infected with some virus because it doesn`t let me to open any drive by double-clicks. Though I deleted MountPoints2 subkeys 2 or 3 times, after rebooting everything comes back - some MountPoints subkeys with Auto key in everyone which is calling bittorrent.exe or activexdebugger32.exe. I tried to run fresh Panda Internet Security 2007, but it didn`t find anything at all.

Cloud anybody tell me what I should do in my situation? I am sure one day I would discover that my projects disappeared and my disk is completely damaged by viruses!

Thanks!

# Steve Riley on Security said on February 18, 2008 10:36 PM:

Surely time itself has warped and it's suddenly April 1st. Come on, if you read the following, wouldn't

New Comments to this post are disabled

Steve Riley on Security

More on Autorun

Comments

Search

This Blog

Tags

Archives

Syndication