Earlier Neowin reported about the fast spread of Downadup worm which targeted unpatched networks and poor passwords. The estimated number of systems affected by Downadup is around 8.9 million and its still growing. Disabling AutoRun is an effective way to prevent the spread of Downadup worm as the worm uses Windows" autorun feature to spread fast through removable drives.
Gregg Keizer of ComputerWorld reports that U.S. Computer Emergency Readiness Team (US-CERT) has said that Microsofts advice on disabling the Windows" Autorun feature to overcome Downadup worm is flawed as it is does not fully disable the autorun capabilities and users are prone to the Downadup worm attack itself again.
Changing the Autorun and NoDriveTypeAutorun registry values to 0 and 0xFF respectively will not prevent newly connected devices from automatically running code specified in the autorun.inf file. Some of the reasons why disabling AutoRun is still not safe are:
- Media Change Notification (MCN) messages are disabled after changing the registry values which may prevent Windows from detecting when a CD or DVD is changed.
- Windows may execute arbitrary code (if an autorun.inf file exists on the device) when the user clicks the icon for the device in Windows Explorer as Windows will still be able to parse and run the autorun.inf file.
Image Courtesy: US-CERT
Workarounds to completely disable AutoRun are:
- Import the following registry values into Windows Registry by saving the values in a file named as autorun.reg and execute the code. Restart Windows to clear any Autorun cache.
- Apply this fix from Microsoft to correct the NoDriveTypeAutoRun registry value. This fix has been released to Windows Vista and Windows Server 2008 by a security update. Windows 2000, XP, and Windows Server 2003 users must install the update manually.
The latest update from F-Secure is that the growth of Downadup has been curbed. However, the disinfection of the worm still remains as a challenge.