How to get windows immune to autorun virus

Source: Internet
Author: User
Tags win32 ntfs permissions

At present, U disk virus is very serious situation, almost all with virus USB disk, the root directory has a autorun.inf. The right key menu has more "AutoPlay", "Open", "Browser" and other items. Because we are accustomed to using a double click to open the disk, but now we double-click, usually not open u disk, but let the program set up in the Autorun.inf automatically play. So it's quite troublesome for many people. In fact, there are 4 ways in which autorun.inf is used by viruses

Open=filename.exe run automatically. But for many XPSP2 users and Vista users, Autorun has become a autoplay, does not automatically run it, will pop up the window to say what you do.


Shell=auto Modify the context menu. Change the default entry to the start of the virus. But at this point as long as the user clicks on the icon right button, immediately found flaws. Smart virus will change the name of the default item, but if you find in a non-Chinese system under the right menu more garbled or Chinese, you will think what is it?

Shellexecute=filename.exeshellexecute= ..... Just call the SHELLEXECUTEA/W function to open a U disk root directory, the virus will automatically run. This is against those who use the win+r to open the letter.

Shellopen= Open (&o)

Shellopencommand=filename. Exe


Shellexplore= Resource Manager (&X) This is a new form of confusion. Right-click menu can not see a problem, but in the non-Chinese system, the true colours. Suddenly appear garbled, Chinese certainly difficult to escape the discernment.

In the face of this danger, especially the fourth, it is hard to tell whether a removable disk has been poisoned simply by relying on the explorer itself. In this case, some people also according to their own experience, made an "immune" tool.

Immune approach to removable disks and hard drives

1. Directory with same name

A directory is a special file under Windows, and two files in the same directory cannot have the same name. As a result, creating a new directory "Autorun.inf" in the root directory of removable disks can prevent virus creation autorun.inf that are not considered in the early stages, reducing the probability of successful propagation.

2, Autorun.inf under the illegal file name directory

Some viruses add fault-tolerant code and try to delete the Autorun.inf directory before generating Autorun.inf. Under the Windows NT WIN32 subsystem, such as "filename." Such directory names are allowed, but in order to maintain compatibility with the Dos/win9x 8.3 file system (. Null later), the directory query function directly calling the standard WIN32 API cannot query the contents of such a directory and returns an error. However, deleting a directory must progressively remove the entire tree structure under it, so you must query the contents of each subdirectory below it. Therefore, creating a special directory such as "MDx:autorun.infyksoft ..." in the "Autorun.inf" directory can prevent Autorun.inf directories from being easily deleted. Similarly, the use of the native API to create directories using DOS reserved names (such as con, LPT1, PRN, etc.) can also achieve similar goals.

3. NTFS Permissions control

The virus maker is also a hacker who knows the features of windows that can be considered bugs. They can do a program that scans the directory and discovers that the last byte of a directory name is '. ' Delete the special directory by accessing "Dirfullname.", or by directly interfering with the file system function in the Windows NT native API.

As a result, methods based on lower-level file system permissions have emerged. The U disk, mobile hard disk format to NTFS file system, create Autorun.inf directory, set the directory for any user does not have any permissions, the virus not only can not delete, and even can not list the contents of the directory. However, this approach is not suitable for devices such as music players that typically do not support NTFS.

These three steps are more exciting than one step. However, the biggest problem is not how to prevent this autorun.inf, but the fragility of the system itself and the explorer. Virus writers will soon be able to make more powerful plans. This is what I expected.

1, combined with ANI loophole, in the Autorun.inf icon set into a ANI vulnerability exploit file (after my experiment, found that Windows has a feature, even if the ANI extension to ICO, or can parse out the icon), so as long as one open "My Computer", A system that is not patched and has no anti-virus software will suffer directly. Such things can also be placed on the Internet in various resources ISO.

2, improve the overall programming level of the virus, combined with all kinds of anti-immunization methods, in addition to use most of the domestic Windows users often with high access to the characteristics of the system, automatically will not have the right to Autorun.inf directory access to ownership, add read and write delete permissions, break the most rugged fortress.

Basic Protection methods

In the face of such terrible things, there are few ways to deal with them. But they are the basic solution to all Windows security issues:

Be sure to keep your system and security software up to date. Even for pirated users, Microsoft does not leave important levels of security updates and has never included a record of anti-piracy programs in critical-level security updates.

Try to use the system and surf the Internet with limited accounts, which will reduce the probability of the virus entering the system. The reason why Vista joins UAC is that it enables users to enjoy the security of restricted users while trying to be as convenient as possible.

To some extent, it can be said that QQ, ie and some equipment can change real money, everything to real money online game is caused by a large number of virus Trojan writers appear "The root of all evils." Through IE loophole, make webpage trojan, install pilfer number procedure, steal account, get RMB. In this black industry chain, IE is in fact the most easily cut off the ring. Cherish the system, the system must be updated, to have to prevent the Web Trojan anti-virus software, with IE do not mess with a variety of small download stations, pornographic sites, such as high-risk sites, if possible, the use of non-IE engine browser.

Malware bundled software is now getting closer and virus Trojans close. Some malware FSD hook self Defense programs may be exploited by viruses to protect themselves (such as Sony XCP events), while some malware itself is a virus Trojan's downloader. So don't let the rogue get close to your machine.

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.