A summary of the attack and defense experience of Autorun.inf type U disk virus

"RavMonE.exe", "Rose.exe", "Sxs.exe", "Copy.exe", "setup.exe" ... The root directory of the mysterious Ghosts, system-safe killers, they are called "U disk virus." Countless Windows users are struggling for them. This article is a summary of their own research on U disk virus and the experience and lessons of the fight against U disk virus.

Systems after Windows 95 have an "Autorun" feature. By reading the Autorun.inf file on the disk volume when the volume is inserted, the custom icon for the volume in Explorer and the context menu for the volume icon are modified, and some media are automatically run by the executable file defined in Autorun.inf. After 05, with the popularization of various removable storage devices, some hackers in the country made the theft of U disk content and copied itself to a U disk to use Autorun.inf spread virus. Famous fake Ravmon, Copy+host, SxS, Viking, Panda incense and other famous viruses have this way of transmission. They are sometimes the mysterious ghosts of the root directory, sometimes the Recycle Bin that appears where it should not be, in short, they are a serious threat to system security.

Autorun.inf is used by viruses in 4 different ways.

1. Open=filename.exe

Run automatically. But for many XPSP2 users and Vista users, Autorun has become a autoplay, does not automatically run it, will pop up the window to say what you do.

2. Shellautocommand=filename.exe

Shell=auto

Modify the context menu. Change the default entry to the start of the virus. But at this point as long as the user clicks on the icon right button, immediately found flaws. Smart virus will change the name of the default item, but if you find in a non-Chinese system under the right menu more garbled or Chinese, you will think what is it?

3. Shellexecute=filename.exe

Shellexecute= ..... Just call the SHELLEXECUTEA/W function to open a U disk root directory, the virus will automatically run. This is against those who use the win+r to open the letter.

4. Shellopen= Open (&o)

Shellopencommand=filename. Exe

Shellopendefault=1

Shellexplore= Resource Manager (&X)

This kind of confusion is bigger, is a new appearance form. Right-click menu can not see a problem, but in the non-Chinese system, the true colours. Suddenly appear garbled, Chinese certainly difficult to escape the discernment.

In the face of this danger, especially the fourth, it is hard to tell whether a removable disk has been poisoned simply by relying on the explorer itself. In this case, some people also according to their own experience, made an "immune" tool.

Immune approach (for removable disks and hard drives)

1. Directory with same name

A directory is a special file under Windows, and two files in the same directory cannot have the same name. As a result, creating a new directory "Autorun.inf" in the root directory of removable disks can prevent virus creation autorun.inf that are not considered in the early stages, reducing the probability of successful propagation.

2, Autorun.inf under the illegal file name directory

Some viruses add fault-tolerant code and try to delete the Autorun.inf directory before generating Autorun.inf.

Under the Windows NT WIN32 subsystem, such as "filename." Such directory names are allowed, but in order to maintain compatibility with the Dos/win9x 8.3 file system (. Null later), the directory query function directly calling the standard WIN32 API cannot query the contents of such a directory and returns an error. However, deleting a directory must progressively remove the entire tree structure under it, so you must query the contents of each subdirectory below it. Therefore, a special directory such as "MD x:autorun.infyksoft ..." is built in the "Autorun.inf" directory to prevent the Autorun.inf directory from being easily deleted. Similarly, the use of the native API to create directories using DOS reserved names (such as con, LPT1, PRN, etc.) can also achieve similar goals.

3. NTFS Permissions control

The virus maker is also a hacker who knows the features of windows that can be considered bugs. They can do a program that scans the directory and discovers that the last byte of a directory name is '. ' Delete the special directory by accessing "Dirfullname.", or by directly interfering with the file system function in the Windows NT native API.

As a result, methods based on lower-level file system permissions have emerged. The U disk, mobile hard disk format to NTFS file system, create Autorun.inf directory, set the directory for any user does not have any permissions, the virus not only can not delete, and even can not list the contents of the directory.

However, this approach is not suitable for devices such as music players that typically do not support NTFS.

These three steps are more exciting than one step. However, the biggest problem is not how to prevent this autorun.inf, but the fragility of the system itself and the explorer. Virus writers will soon be able to make more powerful plans. This is what I expected.

1, combined with ANI loophole, in the Autorun.inf icon set into a ANI vulnerability exploit file (after my experiment, found that Windows has a feature, even if the ANI extension to ICO, or can parse out the icon), so as long as one open "My Computer", A system that is not patched and has no soft kill will suffer directly. Such things can also be placed on the Internet in various resources ISO.

2, improve the overall programming level of the virus, combined with all kinds of anti-immunization methods, in addition to use most of the domestic Windows users often with high access to the characteristics of the system, automatically will not have the right to Autorun.inf directory access to ownership, add read and write delete permissions, break the most rugged fortress.

In the face of such terrible things, there are few ways to deal with them. But they are the basic solution to all Windows security problems,

1, be sure to keep the system and security software in the latest state. Even for pirated users, Microsoft does not leave important levels of security updates and has never included a record of anti-piracy programs in critical-level security updates.

2, as far as possible with limited account use of the system and the Internet, which can reduce the probability of the virus into the system. The reason why Vista joins UAC is that it enables users to enjoy the security of restricted users while trying to be as convenient as possible.

3, to some extent, can be said that QQ, ie and some equipment can change the real money, what all the real money to the net is caused by a large number of virus Trojan writers appear "The root of all evils." Through IE loophole, make webpage trojan, install pilfer number procedure, steal account, get RMB. In this black industry chain, IE is in fact the most easily cut off the ring. Cherish the system, the system must be updated, to have to prevent the Web Trojan anti-virus software, with IE do not mess with a variety of small download stations, pornographic sites, such as high-risk sites, if possible, the use of non-IE engine browser.

4, malicious bundled software, and now more and more virus Trojan close. Some malware FSD hook self Defense programs may be exploited by viruses to protect themselves (such as Sony XCP events), while some malware itself is a virus Trojan's downloader. So don't let the rogue get close to your machine.

Autorun.inf's attack and defense war still continues, will only become more and more wonderful, the Netizen's security consciousness will be in the attack and the defense opposition and the unification obtains the breakthrough progress.