Steve Riley on Security : Autorun: good for you?

Steve Riley on Security : Autorun: good for you? — Wed, 31 Oct 2007 01:19:50 GMT

PingBack from http://blogs.technet.com/steriley/archive/2007/09/22/autorun-good-for-you.aspx

re: More on Autorun

Nick Brown — Wed, 31 Oct 2007 11:46:57 GMT

Hi Steve - Nick Brown here, the author of the above-linked blog entry.

I'm skeptical about the impact of systematically deleting MountPoints2. In our experience of fighting memory stick worms, this is necessary but not sufficient. We are not sure what *would* be sufficient, but on general principles, if there's one unknown registry key (googling for "MountPoints2" is remarkably unproductive), I would not be too amazed if there were others.

Turning off Autorun using IniFileMapping is instantaneous, reversible (OK, you need to reboot after you delete the entry), and has precisely definable side-effects. For a busy system administrator, that's three for three...

Nick

PS: Can you change my name from Mike to Nick please? :-))

re: More on Autorun

Daniele Muscetta — Wed, 31 Oct 2007 13:50:23 GMT

I don't know if such a "tool" exists, but it should be pretty easy to do with a line of powershell...

that is, assuming it is "safe" (=does not crashes or breaks anything else... since I see it contains also the "C" drive for example...) to delete everything under MountPoints2....

re: More on Autorun

Panagis — Wed, 31 Oct 2007 16:52:36 GMT

In areas where this kind of attack is relevant, I have applied a GPO that uses Software restriction policies to block execution of any file from any drives that have a drive letter except C:

It has worked really well so far!

re: More on Autorun

Nick Brown — Wed, 31 Oct 2007 19:07:37 GMT

When we were still trying to get "deleting stuff under MountPoints2" to work, I wrote a BAT file to do it, on a remote PC, and without deleting the keys for drive letters A-F, "in case they actually do something". It uses REG.EXE and REGDMP.EXE, and a bit of FOR /F parsing. (I'd love to know what the "CPC" key is for. It has its own 5 or 6 {hexmumble} subkeys.)

Actually I don't think it's a big deal to delete the whole MountPoints2 key. It's per-user, so the first time a user logs on it gets default values for C (etc) anyway. We treat per-user registry data as extremely disposable. But again, as far as we can tell, deleting MountPoints2 is not sufficient for all worms of this type.

Unfortunately, per-user registry data is harder to keep track of in a big network environment. People create local accounts on the PC, their roaming profiles get reset, etc etc.

Something else to worry about: if you have a big shared drive with 500 people accessing it via a mapped drive letter and just one person's infected memory stick creates an Autorun.inf file in there, you can have 500 copies of the virus running by close of business. Panagis' idea looks good to block that too, as long as this shared drive is not also hosting software...

re: More on Autorun

Panagis — Thu, 01 Nov 2007 07:28:09 GMT

Nick - I am running McAfee's VirusScan on all my servers and it has a rule to block the creation of 'autorun.inf' files remotely, meaning any clients connecting to a shared drive on my servers cannot create such a file. You can use that ability to block other file types or you can use FSRM (assuming you're running R2 on your servers) to block file types as well.

re: More on Autorun

Nick Brown — Thu, 01 Nov 2007 11:25:02 GMT

>>a rule to block the creation of 'autorun.inf'

>>files remotely

That sounds like a nice feature. However, we don't run commercial anti-virus software on any of our PCs or servers (apart from real-time checks of incoming content at the SMTP server and Web proxy ), so that's not an option for us.

If I get time to develop my blog, its major theme will be how you can (and/or why you should) run a big Windows network without anti-virus software. I've been developing my own solutions since 1991 and in that time, I think I can honestly say that on our network - now 1800 PCs - we have never lost a single document to malware.

re: More on Autorun

kgv — Fri, 04 Jan 2008 21:44:17 GMT

While there's been discussion of the weaknesses of NoDriveTypeAutorun, I haven't seen any critiques of NoDriveAutoRun. Setting this to 0xffffffff appears to obviate the need for iterating over MountPoints2 (thus making application much easier).

re: More on Autorun

H. Carvey — Tue, 08 Jan 2008 04:21:58 GMT

This is an interesting thread...can someone explain how deleting the MountPoints2 keys from a user's profile affects the spread of USB worms...

Thanks,

Harlan

re: More on Autorun

Andrey — Tue, 08 Jan 2008 17:13:44 GMT

>can someone explain how deleting the MountPoints2

>keys from a user's profile affects the spread of USB

>worms...

The deleting of MountPoints2 keys doesn`t help in any situation, for example, in a case when the worm is already in memory.

In my situation I have my computer at work infected with some virus because it doesn`t let me to open any drive by double-clicks. Though I deleted MountPoints2 subkeys 2 or 3 times, after rebooting everything comes back - some MountPoints subkeys with Auto key in everyone which is calling bittorrent.exe or activexdebugger32.exe. I tried to run fresh Panda Internet Security 2007, but it didn`t find anything at all.

Cloud anybody tell me what I should do in my situation? I am sure one day I would discover that my projects disappeared and my disk is completely damaged by viruses!

Thanks!

Throw away your digital picture frames

Steve Riley on Security — Tue, 19 Feb 2008 06:36:52 GMT

Surely time itself has warped and it's suddenly April 1st. Come on, if you read the following, wouldn't

re: More on Autorun

bil — Fri, 16 Jan 2009 06:58:37 GMT

I am experiencing the same problems with a virus that is running under the name sevice.exe It is called by autorun.inf and it infects every drive it comes in contact with. So the virus is being renamed or issued by some people, it is a very nice thread about what to do to stop it. There are several places in all your physical drives where it is such as

c:/windows/system32/your virus.exe

c:/program files/common files/Microsoft Shared/MSInfo/yourvirus.exe

but you better do something to protect you computers or next time you stick your infected drive into your computer, you will have to do it all over again.

re: More on Autorun

Just me — Mon, 09 Feb 2009 18:09:11 GMT

found this site, when searching for "registry mountpoints2".

Since few months i have some weird errors, when clicking on Drive P: (network drive).

The error is something with xiao.vbs (some kind of trojan or whatever)

Tried all kind of removers (like ATF-cleaner, Look2me destroyer and smitfraudfix). But nothing helps, mountpoints2 still comes back.

And funny thing is, no one can find the xiao.vbs on network drivers/ usb drivers and my local computer.

re: More on Autorun

Tim J. — Sat, 21 Feb 2009 06:40:34 GMT

I just found a 0-day worm that puts 'smss.exe' into a "system32 " (note the space after the system32). It creates this 2nd folder and then intercepts the exefile key so when you delete it, you can't run any .exe files... Nice. I was able to successfully disable & remove it. BTW it has a cute pink squid as an icon and is 416K in size. The normal smss.exe is about 50K.

re: More on Autorun

Bohemian — Thu, 26 Feb 2009 23:24:23 GMT

I deleted Mountpoints2 in my registry and BAM! In an instant I was able to normally get into my Local Disk E without an error message.

re: More on Autorun

DaNoze — Tue, 03 Mar 2009 20:18:29 GMT

I just ran into the same worm that Tim J. reported Feb 20, 2009. Is it from USB drives or some other source? Anyone know?

re: More on Autorun

tower defense — Wed, 08 Apr 2009 05:18:56 GMT

I am running McAfee's VirusScan on all my servers and it has a rule to block the creation of 'autorun.inf' files remotely, meaning any clients connecting to a shared drive on my servers cannot create such a file. You can use that ability to block other file types or you can use FSRM assuming you're running R2 on your servers to block file types as well.

re: More on Autorun

sunkumarspace — Sun, 12 Apr 2009 11:12:00 GMT

auto run disable should be done thanks

re: More on Autorun

Ashraf — Tue, 05 May 2009 13:17:27 GMT

How I delete INF/Autorun.gen trojen

re: More on Autorun

Ashraf — Tue, 05 May 2009 13:21:07 GMT

how i Clean my computer from INF/Autorun.gen trojen

re: More on Autorun

Ashraf — Tue, 05 May 2009 13:25:09 GMT

how i feedback appear right away please tell me?

re: More on Autorun

club penguin — Fri, 15 May 2009 15:51:30 GMT

I have my computer at work infected with some virus because it doesn`t let me to open any drive by double-clicks. Though I deleted MountPoints2 subkeys 2 or 3 times, after rebooting everything comes back, some MountPoints subkeys with Auto key in everyone which is calling bittorrent.exe or activexdebugger32.exe.

re: More on Autorun

meen — Mon, 18 May 2009 19:38:00 GMT

thanx very much. it did worked

re: More on Autorun

Baby Boutique — Sat, 06 Jun 2009 14:52:09 GMT

Thanks for the heads up, I think Autorun may cause more problems than you are suggesting. I never knew how to turn it off before so thank you very much.

RE: Club Penguin - I also cannot double click open any drives on my computer, I never thought it was a virus though. Will investigate further now