facebook rss twitter

Microsoft disables Autorun to stop viruses in their tracks

by Pete Mason on 9 February 2011, 15:28

Tags: Windows Vista, Windows XP, Microsoft (NASDAQ:MSFT)

Quick Link: HEXUS.net/qa4it

Add to My Vault: x

As handy as USB keys are, they're a perfect way for virus writers to try and spread malicious software. This is made especially easy thanks to the AutoRun feature built into Windows, that would do pretty much whatever an 'autorun.ini' file told it as soon as the storage device was plugged in. Perhaps the most well-known example of this was the Conficker worm, which infected millions of PCs in 2008.

After some years of telling users to disable the feature - but providing no easy way to do it - Microsoft re-engineered AutoRun in Windows 7, preventing viruses from making use of it for USB keys and other removable media. And now, an update is being pushed to users of older versions of the OS through Windows Update which should close the loophole for good.

This patch - which essentially back-ports the Windows 7 changes to Server 2008 and earlier operating systems - was originally released in November 2009, but it was made an optional download to satisfy the needs of business users. Only now is it being pushed out to everyone automatically.

The feature hasn't been completely disabled, though. AutoRun will still work normally on so called 'shiny media' - that's CDs and DVDs to the rest of us - since it's very unlikely that viruses will be distributed in this way on optical media. In fact, that sort of malware has never been spotted in the wild according to Microsoft.

According to the announcement, "changing behavior for a running system is never a trivial thing, and we take it incredibly seriously. It would be a bad outcome for people to think they have to make a tradeoff between security and anything else. Updates to protect against vulnerabilities are an important part of keeping a system secure. We had to be very confident that this change was the right balance for most people."

Update 967940 should have been made available on Tuesday as a part of Microsoft's monthly updates as an 'important non-security update'. For anyone not happy with the changes, there is a 'Fix It' available that should put everything back to normal here.

HEXUS Forums :: 10 Comments

Login with Forum Account

Don't have an account? Register today!
Posted by miniyazz - Wed 09 Feb 2011 17:58
About time.

Autorun always annoys me whenever I plug a USB stick in someone else's computer. I've already loaded up the Explorer window, I really don't need some stupid popup searching for an autorun.ini file which I don't have, before asking if I wanted to open the folder or do whatever else with it. It's already open..
Posted by jim - Wed 09 Feb 2011 18:00
Yes, strikes me as being a little bit late, this one.

Seen these types of things spread around two schools in my time, one where I was a pupil and didn't care, and one where I was meant to be admin and really did care. USBs are far too vulnerable - in the days of floppy disks and CD-ROMs autorun made a lot of sense, but not now.
Posted by spoon_ - Wed 09 Feb 2011 20:06
They only got to realise that autorun is bad in 2011? Shocking.

U3 USB sticks suddenly will become less popular :P
Posted by watercooled - Wed 09 Feb 2011 20:09
I've been doing this myself on any new installs/reformats I do for friends+family, as above, it's about flipping time!
Posted by joel_spencer - Wed 09 Feb 2011 20:36
I used a program called autorun eater to stop the viruses when I disinfected a stick for a client as at the time no commercial program seemed able to stop the exploit.

The variant in question also hid the files on the disk and copied the file name of one of the proper folders and named itself that with a folder icon. It also disabled the option to show hidden files.

Bit of a case of shutting the gate after the horse has bolted me thinks.

As for not seeing the viruses on optical media I think that is unlikely not to have happened. The strains I saw copied themselves into the boot sectors of every drive in the infected machine (thereby meaning windows reinstallation would not delete the viruses unless every drive was scrubbed) so not to insert itself onto any media burned would seem idiotic.

SEE NEWER »