tag:blogger.com,1999:blog-7890764972166411105.post705842778193223258..comments2024-03-29T06:02:41.835+01:00Comments on Nick Brown's blog: Memory stick wormsNick Brownhttp://www.blogger.com/profile/00172030184497186082noreply@blogger.comBlogger139125tag:blogger.com,1999:blog-7890764972166411105.post-73670198647690758252010-11-15T13:56:17.662+01:002010-11-15T13:56:17.662+01:00I haven't seen Windows 7... I would have hoped...I haven't seen Windows 7... I would have hoped that the official Microsoft way of doing things would be sufficient, but I'm going to guess that this hack might work. If it doesn't, it probably won't do any harm, anyway. Let me know if you test it.Nick Brownhttps://www.blogger.com/profile/18266307287741345798noreply@blogger.comtag:blogger.com,1999:blog-7890764972166411105.post-45059081107295988592010-11-15T11:26:51.346+01:002010-11-15T11:26:51.346+01:00Hi Nick,
I learn a lot of your tricks but i have...Hi Nick, <br /><br />I learn a lot of your tricks but i have a question, does this method can apply also on windows 7? any modification alteration or whatever needed instruction to be follow?<br /><br />thank you very much <br /><br />More powerAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-7890764972166411105.post-48523243255265139642010-09-17T07:39:15.388+02:002010-09-17T07:39:15.388+02:00Yes, copy it anywhere. It's on the Internet, ...Yes, copy it anywhere. It's on the Internet, so I assume it's everywhere. :-))Nick Brownhttps://www.blogger.com/profile/18266307287741345798noreply@blogger.comtag:blogger.com,1999:blog-7890764972166411105.post-7453722206889988512010-09-17T01:54:46.646+02:002010-09-17T01:54:46.646+02:00Thanks for the tip Nick! :)
A question that I have...Thanks for the tip Nick! :)<br />A question that I have is, can I copy this article? I wouldn't mind having this info on hand, in case I'm working on somebody's computer and I need to apply this patch.<br /><br />Thanks again!<br /><br />P.S. What is your policy concerning the copying of your articles?Mikenoreply@blogger.comtag:blogger.com,1999:blog-7890764972166411105.post-50323316472391402112010-08-30T20:57:47.201+02:002010-08-30T20:57:47.201+02:00Wow. People are still running Windows 9x? I don&...Wow. People are still running Windows 9x? I don't know if the hack will work. But in any case, I'm guessing that most modern worms won't work with Win9x anyway. ;-)Nick Brownhttps://www.blogger.com/profile/18266307287741345798noreply@blogger.comtag:blogger.com,1999:blog-7890764972166411105.post-77626178840156814942010-08-30T04:53:00.456+02:002010-08-30T04:53:00.456+02:00This trick is not working with Windows 9x?This trick is not working with Windows 9x?Charlotnoreply@blogger.comtag:blogger.com,1999:blog-7890764972166411105.post-7023319478423866372010-01-03T22:57:01.644+01:002010-01-03T22:57:01.644+01:00Hi Robert,
>removable media and hard disk
>...Hi Robert,<br /><br />>removable media and hard disk<br />>started up autoplaying again,<br />>if only to open Windows Explorer<br />>or a choose-the-action dialog.<br /><br />Do you mean "AutoPlay(ing)" or "AutoRun(ning)"? Two different things, although I doubt if 2% of 'Softies could tell you the difference. :-)<br /><br />That said, it wouldn't surprise me if MS's workaround didn't work. For one thing, MS are notorious for not using their own APIs for a lot of stuff.<br /><br />>if it could be made to display a<br />>message such as "Execution of<br />>Autorun.inf on device E: was<br />>prevented using a clever remedy<br />>invented by Nick Brown.<br />Heh, nice idea, but then I'd have to build a kit and ship a DLL. You should see the amount of trouble I have convincing people to add a one-line registry patch - I've seen loads of forum discussions where people who fancy themselves as experts dispense advice like "oooh, it modifies the registry, not worth the risk". I think they should fire up REGMON and see how many times every app in creation modifies the registry per second...<br /><br />NickNick Brownhttps://www.blogger.com/profile/18266307287741345798noreply@blogger.comtag:blogger.com,1999:blog-7890764972166411105.post-70970325332614018562010-01-03T14:35:25.492+01:002010-01-03T14:35:25.492+01:00On XP Home SP3 without your fix, but with the Micr...On XP Home SP3 without your fix, but with the Microsoft anti-autoplay patch in place and activated, something odd happened the other day. I'm not sure why but I think I know how: removable media and hard disk started up autoplaying again, if only to open Windows Explorer or a choose-the-action dialog.<br /><br />It appears to me now that a NoDriveTypeAutoRun entry under HKEY_LOCAL_MACHINE causes the documented HKEY_CURRENT_USER setting to be ignored. A value of 0xb1 seems to have appeared there by itself. Going by the following table,<br />0x1 or 0x80 Disables AutoRun on drives of unknown type <br />0x4 Disables AutoRun on removable drives <br />0x8 Disables AutoRun on fixed drives <br />0x10 Disables AutoRun on network drives <br />0x20 Disables AutoRun on CD-ROM drives <br />0x40 Disables AutoRun on RAM disks <br />0xFF Disables AutoRun on all kinds of drives<br /><br />- that meant that "fixed drives" and "removable drives" would autoplay.<br /><br />http://support.microsoft.com/kb/967715<br /><br />I don't know where that value came from. My recent operations include connecting a USB hard disk - apparently a "fixed drive" - that may have been registered in MountPoints2 previously, creating, deleting, and re-lettering partitions on the internal hard disk, and running a virus scanner from a Linux bootable CD called SystemRescueCD whose latest version apparently turned stable during the Christmas holiday. I've been soulsearching over that one, it's a popular tool that would be a good way to introduce a virus instead of detecting them, but a Linux-borne virus that bothers to interfere with Windows registry security settings and that causes visible changes of behaviour seems unlikely. Then again I believe SystemRescueCD is made by a French person :-)<br /><br />For the Autorun.inf countermeasure described here... I think it would be an interesting refinement if it could be made to display a message such as "Execution of Autorun.inf on device E: was prevented using a clever remedy invented by Nick Brown. Press Escape or something." Well, something like that. That probably would require, at least, creating the registry key that in the current design is non-existent. Of course if Microsoft lets you disable AutoPlay entirely then you'll never see that, but... see start of my story!Robert Carnegie rja.carnegie@excite.comnoreply@blogger.comtag:blogger.com,1999:blog-7890764972166411105.post-6623380002948614582009-11-19T04:51:40.993+01:002009-11-19T04:51:40.993+01:00It was extremely interesting for me to read this b...It was extremely interesting for me to read this blog. Thanks for it. I like such topics and anything connected to this matter. I would like to read more soon.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-7890764972166411105.post-79986441652501143232009-09-23T18:55:34.385+02:002009-09-23T18:55:34.385+02:00dear nick,
first of all many thanks for an excell...dear nick,<br /><br />first of all many thanks for an excellent article. i was especially impressed by the way you replied to all these questons, and even stayed polite if people asked things over and over :).<br />after travelling for one year and getting infected pretty much everytime i grab picures of someone i always got infected - a pain in the ass i can tell you.<br /><br />i did read your whole article and all posts, leaving only one question for me to ask: <br />on a computer without your regtrick added, doublecklicking or opening the drive triggers the virus - i know first hand. but:<br /><br />what, if i open "my computer", then swich to folder view (view | explorer bar | folders), then open the drive by only klicking on the little plus next to the drive letter on the left side of the explorer window (or highlighting it with mouse or keyboard, then pressing the "right" key instead of enter)?<br /><br />thanks in advance, keep up the good work,<br /><br />dennis (currently in thailand)Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-7890764972166411105.post-82357940928819019812009-09-08T09:31:53.641+02:002009-09-08T09:31:53.641+02:00Double-clicking an INF file just opens it in Notep...Double-clicking an INF file just opens it in Notepad, or whatever other action you've defined. It's not related to the issue discussed here, as far as I know.<br /><br />You could also just, er, try it and see what happens...Nick Brownhttps://www.blogger.com/profile/18266307287741345798noreply@blogger.comtag:blogger.com,1999:blog-7890764972166411105.post-43948732134821594792009-09-08T04:33:05.343+02:002009-09-08T04:33:05.343+02:00Many thanks to Nick - someone asked me this below,...Many thanks to Nick - someone asked me this below, can anyone help please ? <br /><br />with this tweak if you double-click a drive (like CD drive)<br />in Explorer any autorun.inf on a CD in there gets executed despite the tweak ?Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-7890764972166411105.post-5048734902695531262009-08-27T18:11:54.258+02:002009-08-27T18:11:54.258+02:00This is a brilliant idea. Thanks nick and team, ke...This is a brilliant idea. Thanks nick and team, keep up the good stuffs. The world should thank you. ;)Leonnoreply@blogger.comtag:blogger.com,1999:blog-7890764972166411105.post-75601790540182911452009-07-26T21:45:19.030+02:002009-07-26T21:45:19.030+02:00Hello Ryan,
For most memory stick worms, reinstal...Hello Ryan,<br /><br />For most memory stick worms, reinstalling the PC from scratch is probably excessive.<br /> <br />My suggestion would be to clean up your PC. That's beyond the scope of this reply; try AVG-Free or "Housecall" from Trend Micro.<br /><br />Then, apply our registry hack, and you should be able to plug your removable media in without them infecting you. Go to the Autorun.inf file on each removable drive, open it in Notepad, note the names of the executables, delete those, and delete the Autorun.inf file itself.<br /><br />Another option to delete the virus from removable storage is to plug it into a computer running anything but Windows and delete Autorun.inf from there. ;-)<br /><br />Good luck,<br />NickNick Brownhttps://www.blogger.com/profile/18266307287741345798noreply@blogger.comtag:blogger.com,1999:blog-7890764972166411105.post-65856647140677136052009-07-26T20:03:15.859+02:002009-07-26T20:03:15.859+02:00...I alsmost forgot. The worst part about this is......I alsmost forgot. The worst part about this is that I always have a 250 GB external USB hard drive connected to my computer which I am of course using to backup all of my data. Is it infected as well? In other words, will it simply reinfect my computer upon reconnecting it to my reformatted computer?Unknownhttps://www.blogger.com/profile/10917516124323321685noreply@blogger.comtag:blogger.com,1999:blog-7890764972166411105.post-64228363751351697192009-07-26T19:58:16.382+02:002009-07-26T19:58:16.382+02:00Hi Nick,
I was recently infected with a worm; the...Hi Nick,<br /><br />I was recently infected with a worm; the origin of which has not yet been determined. I am planning on zeroing my hard drive in the next week or so. After that, will it be safe to plug in my flash drives with known infections in order to try to clean them with antivirus software or should I just throw them out? How can I be certain that the antivirus software I have (Windows Live OneCare) will be effective?<br /><br />Also, I just plugged in my digital camera flash drive today and realized that it is also infected. Does this mean that my digital camera hard drives are infected? If so, how on earth will I remedy that?<br /><br />Thaks so much,<br />RyanUnknownhttps://www.blogger.com/profile/10917516124323321685noreply@blogger.comtag:blogger.com,1999:blog-7890764972166411105.post-73974666752948366522009-07-18T10:38:52.609+02:002009-07-18T10:38:52.609+02:00The file to undo this hack just consists of two li...The file to undo this hack just consists of two lines, although I suspect that if you just added the '-' in the second position of line 2 and left the third line in place, it would still work.Nick Brownhttps://www.blogger.com/profile/18266307287741345798noreply@blogger.comtag:blogger.com,1999:blog-7890764972166411105.post-57427132683645189872009-07-18T01:25:44.565+02:002009-07-18T01:25:44.565+02:00Nick, toward the top here was a tip for re-enablin...Nick, toward the top here was a tip for re-enabling AutoRun that added a - just inside of the left bracket. It did not say whether the third line would still be included or would be left out as well. Which would be advised if someone wanted an "undo" for the AutoRun undo?Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-7890764972166411105.post-72294512185627648242009-06-17T15:39:50.406+02:002009-06-17T15:39:50.406+02:00FYI we've noticed that this method of disablin...FYI we've noticed that this method of disabling autorun prevents the use of Kingston's DataTraveler Secure Privacy Edition encrypted USB disk too.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-7890764972166411105.post-43883821650602832562009-06-01T00:05:44.557+02:002009-06-01T00:05:44.557+02:00Because that is AutoPlay, and this is AutoRun. Re...Because that is AutoPlay, and this is AutoRun. Read the rest of the comments here to get an idea of the difference. They are two totally different things, with similar names thought up be similar marketing folks. ;-)Nick Brownhttps://www.blogger.com/profile/18266307287741345798noreply@blogger.comtag:blogger.com,1999:blog-7890764972166411105.post-80702177718668454592009-05-31T03:03:00.486+02:002009-05-31T03:03:00.486+02:00Hi Nick, thanks for the advice. I generally try to...Hi Nick, thanks for the advice. I generally try to avoid messing with my registry though. How is your solution different from the following, which can be done through a normal windows xp route?<br /><br />1. Click Start > Run<br />2. Type “gpedit.msc”<br />3. Computer Configuration > Click “Administrative Templates” > Click “System” > Double-Click “Turn off Autoplay”<br />4. Setting tab > Check “Enabled” > Select “All drives” from the drop down menu > Apply > Ok<br /><br />I got these instructions from this website:<br /><br />http://www.llbbl.com/2006/06/13/how-to-disable-autoplay/Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-7890764972166411105.post-64333635194642310072009-04-27T14:26:00.000+02:002009-04-27T14:26:00.000+02:00Sorry, I think you need a GPEdit expert. That's n...Sorry, I think you need a GPEdit expert. That's not me. I don't trust registry edits that I didn't apply myself and which I can't verify by booting from another system root. :-)<br /><br />Good luck,<br />NickNick Brownhttps://www.blogger.com/profile/18266307287741345798noreply@blogger.comtag:blogger.com,1999:blog-7890764972166411105.post-6125349786892077762009-04-27T13:15:00.000+02:002009-04-27T13:15:00.000+02:00Hi Nick! 1st of all, a zillion thanks to you for w...Hi Nick! 1st of all, a zillion thanks to you for writing this blog post-it helps me from formatting my computer. BTW, i need some advise from you about this situation - i'm using WinXP Pro sp2, and using their auto-update, mine have updated to sp3. i've already disabling the autorun before the sp3 installation, but now, when i want to view it again (after upgrading), this occurs: 1, multiple warning appears (http://i245.photobucket.com/albums/gg69/m2mdoh/m2md%20blog%20stuff/gpeditprobs.jpg); and 2,after clicking 4times on that, the menu's under admin template has gone too~~ (http://i245.photobucket.com/albums/gg69/m2mdoh/m2md%20blog%20stuff/gpeditprobs2.jpg). now, i can't find the autorun under the system folder. Thanks again for your time and great help.<br /><br />.: m2mdoh :.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-7890764972166411105.post-91790761778703912152009-04-26T23:20:00.000+02:002009-04-26T23:20:00.000+02:00Great tips from all, and thanks to Nick. Re: the t...Great tips from all, and thanks to Nick. Re: the tip frpm kOuD3LkA, I have been using a similar trick on my thumb drives; you can use lpt0-9 as well as CON and some other reserved keywords to make the subdir difficult to delete or overwrite. But I wanted to share an experience I had fighting a nasty virut infestaation - these bugs will treat ANY drive other than the main partition as a mountable removable volume, including a secondary partition, and I found out (the hard way) one possible outcome of creating a "decoy" autorun.inf folder off the root of a secondary partition to block the dropping of a malicious autorun.inf file: a bluescreen on bootup. <br /><br />It did help me flush out the last remnants of virut hiding in that secondary partition, but not until after giving me a few more grey hairs that I didn't really need.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-7890764972166411105.post-31964886361067283782009-04-24T22:48:00.000+02:002009-04-24T22:48:00.000+02:00I have no idea what a "U3 launchpad" is. But if y...I have no idea what a "U3 launchpad" is. But if you look through some of the other replies to this post, "U3" appears there somewhere.<br /><br />NickNick Brownhttps://www.blogger.com/profile/18266307287741345798noreply@blogger.com