Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Community Blog

KB 971029 - A good step towards malware propagation prevention.

Created: 17 Sep 2009 • Updated: 17 Sep 2009 • 7 comments
Satyam Pujari's picture
+5 5 Votes
Login to vote

It has always been observed that autoplay/autorun feature of MS windows OS is one of the most preffered selection of malware propagation.We've witnessed some devastating examples of malware which used this feature effectively to replicate and converting a single machine infection to a malware outbreak with in first few hours.Conficker a.k.a W32.downadup is the most recent example of such malware.But this is not at all a new method of infection,rather this method of infection is there since decades.Some more popular examples are Trojan.Brisv.A!inf,W32.Gammima and many more in the long list.

Many other AV vendors detect autorun.inf but Symantec does not.Many people take it in a wrong way but there's a valid reason behind this decision that why Symantec does not detect autorun.inf.
The answer is pretty simple and logical "It's a feature of MS windows OS which is abused by malcious code and the AV "should not" just go on and remove a feature of the OS as this feature is also used by 'many' other software vendors.Secondly, Autorun.inf is just an information file and usually contains the instructions (when maliciously used) to execute the "original" malicious code/file.Autorun.inf alone can't do anything even if the instructions are in it if the main file is detected and clean..Period.But there're many other arguments, one of them is one can't open the drive [untill shell (explorer.exe) is refreshed or the system is rebooted] if the main file [malicious executable] is deleted and autorun.inf is still present in the drive present.The simple resolution is disable the feature.
However, ‘auto play’ still remained a feature of windows and there was no official fix/patch available from the OS vendor .But now there's a good news from Microsoft.
After successful installation of the update the update auto run feature would not be available for "removable medias" but with an exception to CD/DVD.
Here is the announcement from MS 
"After you install this update, users will no longer see this dialog box. Users must browse to the setup executable that is found on the USB flash drive to start the "Copy Network Settings" process. This update disables Auto Run entries in AutoPlay, and displays only entries that are populated from CD and DVD drives. Effectively, this prevents AutoPlay from working with USB media."
Anyways, it's a good step by MS to prevent the auto play feature abuse which would surely help preventing malware up to 'some extent' as the usage of  flash drives/external hard drive /CF cards are more in use than 'writeable' CD/DVD in current scenario. 

Comments 7 CommentsJump to latest comment

Vikram Kumar-SAV to SEP's picture

 Looks this time Microsoft is serious about security..

Vikram Kumar

Symantec Consultant

The most helpful part of entire Symantec connect is the Search use it.

Login to vote
Bijay.Swain's picture

This is a good move from microsoft which releases their Os with too many  bugs.

Login to vote
AravindKM's picture

Thank you for the information. 

Please don't forget to mark your thread solved with whatever answer helped you : ) Thanks & Regards Aravind

Login to vote
Maximilian's picture

Finally a really decent change in autorun behavior

Login to vote
steffib's picture

Hi, I recently installed this patch (KB971029) on a Windows XP Pro system at the recommendation of my AV software provider. It seems to be working, but how do I access the files on my USB drive?

I'm asking because the USB drive no longer shows up when plugged into my system. Does this patch make it so that you can NO LONGER use a USB Drive on the system at all? Or, is there still a way to access the files on the USB Drive, even though the undesirable Autorun.inf behavior has been disabled?

Thank you in advance for any assistance you can provide!

Login to vote