in Windows

AutoRun in Windows considered harmful

Recently I started taking a basic course in Computer-Aided Design (CAD) at George Brown College – mostly for interest’s sake, although it’s partly because my day job at CBC is exposing me more and more to the engineering side of things, and I imagine it’ll only be a matter of time before I’ll have to start looking at technical drawings. The instructor recommended on day one that we all purchase USB memory keys to save our work, because there are no personal home directories on the George Brown network. Thus begins the sorry tale of how I managed to get a virus on my CBC-issued Windows laptop – thanks Microsoft!

Many of you know that Windows has an Autoplay “feature” that causes it to read the contents of an autorun.inf file placed on removable media, and execute the program specified therein, whenever that media is inserted in a computer. I always thought this was a terribly annoying feature even back in the days of Windows 95 and CD-ROMs, but now it’s being exploited as a vector for virus propagation. This is exactly what happened to me: it turns out that George Brown has a nasty worm called WORM_LEGMIR.FU floating around their network, and it copies itself, with a referencing autorun.inf, to any writable removable media, like your USB stick. Thanks to Windows’ Autoplay feature, when you subsequently take that USB stick and insert it in another Windows computer, that machine is instantly infected. Thanks Bill!

It gets better. Many anti-virus programs, such as the CA eTrust that my company uses, are unable to fully remove the worm from the computer, because Windows has some other wonderful features, such as Super Hidden Files: using the registry entry HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorerAdvanced, you can create files that are “Super Hidden” and cannot be seen by most applications. These files actually have nothing more than the Hidden and System bits set, but with this registry entry turned on, Windows won’t let you touch them. It’s a perfect mechanism for virii to hide their DLLs and EXEs in an undeletable way!

This set of so-called “features” just illustrates the shoddiness of Microsoft’s software design. Again, it’s clear that these features come from marketing departments, rather than having been derived from any sound technical analysis. In retrospect, my laptop really had no chance; the fact that you can infect a Windows-based PC by doing nothing more than walking up to it and inserting a piece of removable media (even a CD-ROM) is stunning. In order to stop this particular attack vector, you must hack the operating system beforehand (by disabling Autoplay), or, I suppose, gluing your USB slots shut and removing the CD-ROM or floppy drive.

I did manage to disinfect my laptop by following the instructions on Trend Micro’s website – but those instructions aren’t for the faint of heart. (I also had to put the USB stick in my Linux PC and delete the offending autorun.inf and the virus, because obviously I wasn’t going to put it in another Windows PC to do that!) Many of my fellow not-so-computer-savvy classmates came to the conclusion that they should just throw away their $50 USB sticks and get new ones; something I can’t wholly discourage if they don’t have access to a Linux box or a Mac.

Write a Comment

Comment

  1. That's just brilliant. I must ask though – why are you using a Windows PC? Is it because the CAD software treats other non-Windows operating systems as second class (or non-existent) citizens?

  2. Sadly, yes – AutoCAD only runs on Windows. Some folks have claimed that it will run under Wine, but I'm not that adventurous…

    As to the reason why I even have a Windows laptop – my work is incredibly Windows-centric, e.g. the VPN is Nortel's Contivity (bastardized IPSec, Windows-only); trouble ticketing is BMC Remedy (Windows-only, although it does work ok under Wine), and many internal sites are Windows only (including the pension website! Sigh…

  3. Lol.. typical neophyte response to getting a virus on a piece of media. Just get a new one!

    You could, of course, disable autorun first then insert the USB Key.

    I am going to have to defend microsoft on this one, for this reason only.

    The contents of my USB key are encrypted using TrueCrypt (free and open source, and unix friendly, etc.., etc….). Because I wanted some part of the key to be unencrypted, I set up TrueCrypt to store the encrypted data in a "file" on the key.

    It automatically set up the proper autorun.inf file so that when I stick they key in ANY computer (no drivers needed!) TrueCrypt will prompt me for my password to mount the encrypted file as another "drive" on the computer.

  4. Hey Blake – I can't even blame the neophytes regarding the USB key. If you can't disinfect your key (e.g. if you don't have access to a Mac or a Linux box), then maybe from their perspective, throwing the key away actually is the "right" solution.

    I agree that the Autoplay feature increases usability — users don't have to double-click on any executable in order to launch, say, a password management program. But at what cost, is the question? I argue that it's not worth the cost of having rogue programs automatically run on your computer without your intervention.