At present, the USB flash drive virus is very serious. Almost all USB flash drives with viruses have an autorun. inf in the root directory. The right-click menu has items such as "automatic playback", "Open", and "Browser. Because we are used to double-click the disk to open the disk, but now we double-click the disk, instead of opening the USB flash disk, but enabling the program set in autorun. inf to play automatically. So it is quite troublesome for many people.
In the face of this danger, it is difficult to determine whether a removable disk is poisoned by Explorer alone. In this case, some people also developed an "immune" tool based on their own experience. Immune methods for removable disks and Hard Disks
1. directories with the same name
A directory is a special file in Windows, and the two files in the same directory cannot have the same name. Therefore, creating a new directory "autorun. inf" in the root directory of the removable disk can prevent the Early occurrence of virus autorun. inf that did not consider this situation, reducing the probability of successful propagation.
2. invalid file name directory under autorun. inf
Some viruses are added with fault tolerance code, and try to delete the autorun. inf directory before generating autorun. inf. In Windows NT Win32 subsystem, such as "filename. this directory name is allowed to exist, but to maintain compatibility with the DOS/Win9x 8.3 file system (. invalid). Directly calling the directory query function in the standard Win32 API cannot query the content in this directory and an error is returned. However, to delete a directory, you must delete the entire tree structure step by step. Therefore, you must query the content of each subdirectory under the directory. Therefore, you can create a special directory "MDx: autorun. infyksoft .." in the "autorun. inf" directory to prevent the autorun. inf directory from being easily deleted. Similarly, using Native APIs to create directories with DOS reserved names (such as con, lpt1, and prn) can achieve similar purposes.
3. NTFS permission Control
Virus makers are also hackers who know that Windows is a Bug feature. They can run a program to scan the Directory and find that the last byte of a directory name is. access "dirfullname .. or you can use the file system function in the Native API of Windows NT to directly intervene in the deletion of this special directory.
Therefore, the method of permission control based on the lower-level file system emerged. Format the USB flash drive and mobile hard disk as the NTFS file system, create the Autorun. inf directory, and set this directory to have no permissions for any users. viruses cannot be deleted or even listed. However, this method is not suitable for devices that normally do not support NTFS, such as music players.
These three steps are wonderful. However, the biggest problem is not how to prevent the autorun. inf from being generated, but the vulnerability of the system itself and Explorer. Virus writers will soon make more powerful solutions. This is what I expected.
1. Combine the ANI vulnerability in autorun. inf sets the icon to an Exploit file with the ANI Vulnerability (after my experiment, I found that Windows has a feature that can parse the icon even if the ani extension is changed to ico ), in this way, as long as "My Computer" is turned on, the system without any patches or anti-virus software will directly suffer. Such things can also be stored in various online resource ISO.
2. Improve the overall programming level of the virus, and integrate the above anti-immune methods. In addition, most windows users in China often log on to the system with high permissions and automatically use the Autorun. the inf directory obtains ownership, adds read/write deletion permissions, and breaks through this strongest bastion.
Basic protection methods
There are not many solutions to such terrible things. But they are actually the basic solutions to all Windows security problems:
Be sure to keep the system and security software up to date. Even for pirated users, Microsoft never updates important security levels, nor has it ever recorded anti-piracy programs in important security updates.
Try to use the system and access the Internet with a restricted account, which can reduce the probability of viruses entering the system. Vista adds the UAC function because it enables users to enjoy the security of Restricted Users while making it as convenient as possible.
To some extent, it can be said that QQ, IE and some equipment can change the real money, and all the money is really the source of a lot of virus and Trojan Horse writers ". Using the IE vulnerability, you can create Web Trojans, install the account theft program, steal accounts, and obtain RMB. In this black industry chain, IE is actually the easiest part to cut. Cherish the system, the system must be updated, and anti-virus software that can prevent web Trojans should be used. Use IE to avoid various small download sites, pornographic websites, and other high-risk sites. If possible, use a non-IE engine browser.
Malicious Software bundle is getting closer and closer to virus Trojans. The fsd hook self-defense program of some malware may be used by viruses to protect itself (such as sony xcp events), and some malware itself is a download tool of virus Trojans. Therefore, do not let the rogue approach your machine