Microsoft's advice on Downadup worm is flawed

Earlier Neowin reported about the fast spread of Downadup worm which targeted unpatched networks and poor passwords. The estimated number of systems affected by Downadup is around 8.9 million and its still growing. Disabling AutoRun is an effective way to prevent the spread of Downadup worm as the worm uses Windows' autorun feature to spread fast through removable drives.

Gregg Keizer of ComputerWorld reports that U.S. Computer Emergency Readiness Team (US-CERT) has said that Microsoft's advice on disabling the Windows' Autorun feature to overcome Downadup worm is flawed as it is does not fully disable the autorun capabilities and users are prone to the Downadup worm attack itself again.

Changing the Autorun and NoDriveTypeAutorun registry values to 0 and 0xFF respectively will not prevent newly connected devices from automatically running code specified in the autorun.inf file. Some of the reasons why disabling AutoRun is still not safe are:

  • Media Change Notification (MCN) messages are disabled after changing the registry values which may prevent Windows from detecting when a CD or DVD is changed.
  • Windows may execute arbitrary code (if an autorun.inf file exists on the device) when the user clicks the icon for the device in Windows Explorer as Windows will still be able to parse and run the autorun.inf file.


Image Courtesy: US-CERT

Workarounds to completely disable AutoRun are:

  • Import the following registry values into Windows Registry by saving the values in a file named as autorun.reg and execute the code. Restart Windows to clear any Autorun cache.

    REGEDIT4
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf]
    @="@SYS:DoesNotExist"

  • Apply this fix from Microsoft to correct the NoDriveTypeAutoRun registry value. This fix has been released to Windows Vista and Windows Server 2008 by a security update. Windows 2000, XP, and Windows Server 2003 users must install the update manually.

You can also download and run the Downadup Removal Tools from Symantec or F-Secure sites.

The latest update from F-Secure is that the growth of Downadup has been curbed. However, the disinfection of the worm still remains as a challenge.

Report a problem with article
Previous Story

Gamestop may not carry Dawn of War 2 because of Steam?

Next Story

Microsoft Flight Simulator the victim of staff layoffs?

4 Comments

Commenting is disabled on this article.