Thursday, February 21, 2008

Disabling autorun on windows

After realizing what a huge security hole Autorun really is, I looked around for a way to disable it and I found this article. In a nutshell, several values must be set in the registry key: HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Policies\ Explorer REG_BINARY NoDriveAutoRun should be ffffffff REG_DWORD NoDriveTypeAutoRun should be ff If you don't want to fool around with regedit and you trust me enough, the registry file can be downloaded from here. You can download it to your desktop and double-click it to apply the settings to your registry

Removing the trojan: imgkulot

What is it?
imgkulot is a trojan which spreads via removable storage devices(flash drives,mp3 devices) and network drives connected to an infected computer. It abuses the Autorun features of Windows.
How do I know if I have it?
  • Open My Computer
  • Navigate the menu to , Tools -> Folder Options
  • On the Folder Options dialog, choose the View tab and in the advanced settings, choose to Show hidden files and folders; then make sure Hide extensions for known file types and Hide protected operating system files is UNCHECKED then click the Ok button to dismiss the dialog
  • Open any of your hard drives or flash drives. If you see files named __.bat, __.reg and __.vbs then your computer is infected
What does it do?
Any new drives attached to your system will get infected. This includes flash drives, network drives, mp3 players etc. This devices, when connected to other computers, will infect those computers to. Looking at the code, this trojan is fairly harmless and does nothing except propagate.
How the f@#$%^& do I get rid of it?
  • Restart your computer
  • Connect all your removable drives
  • Right click on the task bar and choose to open the Task Manager; In the processes tab, locate WScript.exe; select the process then click on the End Process button; Click on Yes when the Task Manager Warning dialog comes up
  • Open a command prompt by Navigating to Start Menu -> Programs -> Accessories -> Command Prompt
  • Type the commands to fix your system drive(assuming c:) c: cd c:\ attrib -h -r -s -a AutoRun.inf del AutoRun.inf attrib -h -r -s -a __.* del __.* cd c:\windows\system32 attrib -h -r -s -a AutoRun.inf del AutoRun.inf attrib -h -r -s -a __.* del __.*
  • For each other drive on your system, type the commands(assuming e:) e: cd e:\ attrib -h -r -s -a AutoRun.inf del AutoRun.inf attrib -h -r -s -a __.* del __.*
  • Using regedit, restore Userinit string value in the registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon to userinit.exe; If you don't want to fool around with regedit and you trust me enough, you can just download defaultUserInit.reg to your Desktop and double click on it to revert the registry settings.