Preventing a virus from using the AutoRun feature to spread itself
|Article:TECH104447|||||Created: 2008-01-21|||||Updated: 2013-11-05|||||Article URL http://www.symantec.com/docs/TECH104447|
It appears that a virus is using the AutoRun feature in Windows to spread itself. Whenever a USB drive is inserted or other computers connect to the network a file called "autorun.inf" appears at the root of the new drive and the installed antivirus product detects a threat.
Windows uses the autorun.inf file to:
- Identify which file to run when new media is inserted, or
- Identify which options to present in an AutoPlay dialog
Viruses and other malware will attempt to use this feature to infect new computers when devices or media (like a USB drive) are moved between computers.
Note: The "autorun.inf" file in and of itself, is not malicious. It is simply a text file.
The autorun.inf file when viewed in a text editor typically contains lines similar to the following:
If you suspect that an infection is using AutoRun but the file <filename.exe> pointed to by autorun.inf is not detected by Symantec Endpoint Protection (SEP), please submit the file to Symantec Security Response using the instructions in the following article:
- How to Use the Web Submission Process: http://www.symantec.com/docs/TECH102419
Even when SEP detects and deletes the <filename.exe> threat, the autorun.inf text file may not always be deleted since both benign and malicious files can use autorun.inf.
To permanently prevent threats from using the AutoRun feature the following options are available:
- Install a Windows hotfix to disable AutoRun on USB drives
- Disable AutoPlay in your environment using a Group Policy Object (GPO)
- Disable the AutoRun functionality using the registry
- Use a Symantec Endpoint Protection Application and Device Control policy
This hotfix leaves AutoRun working only with CD and DVD drives, disabling USB which is the most common AutoRun method used by malware to spread.The update applies to Windows XP, 2003, Vista, 2008.
Follow the instructions in the following Microsoft TechNet Security Watch article; under Managing AutoPlay in Your Network.
This Microsoft KB article explains how to disable AutoRun using the NoDriveTypeAutoRun registry key.
Protection features within the Symantec Endpoint Protection product can be used to block the AutoRun functionality.
Further information about AutoRun and AutoPlay is also available at the following:
- Video demonstration of "How to prevent a virus from spreading using the 'AutoRun' feature" www.symantec.com/connect/blogs/autoplay-worms
- MSDN: Enabling and Disabling AutoRun http://msdn2.microsoft.com/en-us/library/bb776825.aspx
Article URL http://www.symantec.com/docs/TECH104447