Earlier Neowin reported about the fast spread of Downadup worm which targeted unpatched networks and poor passwords. The estimated number of systems affected by Downadup is around 8.9 million and its still growing. Disabling AutoRun is an effective way to prevent the spread of Downadup worm as the worm uses Windows' autorun feature to spread fast through removable drives.Gregg Keizer of ComputerWorld reports that U.S. Computer Emergency Readiness Team (US-CERT) has said that Microsoft's advice on disabling the Windows' Autorun feature to overcome Downadup worm is flawed as it is does not fully disable the autorun capabilities and users are prone to the Downadup worm attack itself again.
Changing the Autorun and NoDriveTypeAutorun registry values to 0 and 0xFF respectively will not prevent newly connected devices from automatically running code specified in the autorun.inf file. Some of the reasons why disabling AutoRun is still not safe are:
- Media Change Notification (MCN) messages are disabled after changing the registry values which may prevent Windows from detecting when a CD or DVD is changed.
- Windows may execute arbitrary code (if an autorun.inf file exists on the device) when the user clicks the icon for the device in Windows Explorer as Windows will still be able to parse and run the autorun.inf file.
Image Courtesy: US-CERT
Workarounds to completely disable AutoRun are:
- Import the following registry values into Windows Registry by saving the values in a file named as autorun.reg and execute the code. Restart Windows to clear any Autorun cache.
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf]
@="@SYS:DoesNotExist"
- Apply this fix from Microsoft to correct the NoDriveTypeAutoRun registry value. This fix has been released to Windows Vista and Windows Server 2008 by a security update. Windows 2000, XP, and Windows Server 2003 users must install the update manually.
You can also download and run the Downadup Removal Tools from Symantec or F-Secure sites.
The latest update from F-Secure is that the growth of Downadup has been curbed. However, the disinfection of the worm still remains as a challenge.
Lots of Fisher-Price banana boats sinking.
This is why you don't _have_ to set Autorun to 0.
HKLM\SYSTEM\CurrentControlSet\Services\Cdrom
To disable Autoplay on particular drives, use NoDriveAutoRun (in HKLM or HKCU) or NoDriveTypeAutoRun (in HKLM or HKCU). Do not disable the Media Change Notification message unless you have no alternative.
Still don't understand why SMB is active by default listening to the internet.
Poor guys who had port 445 open and use a modem.
That's what /she/ said?
Either way my PC is fine at the moment (Touchwood).
Commenting has either been disabled on this article or you are not logged in. Click here to login or register, its free!
Note: Anonymous commenting is disabled in order to keep the quality of responses to a high standard.