Most computer users who have used a removable drive have come in contact with a malicious file (virus, worm or trojan) residing on their. Normally an antivirus on the system should be able to detect and clean the infection, but often the drive remains infected. It then comes down to the user to be able to detect and delete an infected file on the drive manually.
Most malicious files that reside on the USB drive infect your computer when the user open the removable drive via My Computer or when the default action is performed via the Windows AutoRun feature. Even merely double clicking on the drive can cause a system to get infected.
An autorun.inf file is a plaintext configuration file that resides at the root of a drive (Local hard drives, USB drives, CD-ROMs, DVDs etc) and contains information about the actions to do when a user performs the default action on the drive. The default action is the one that is set in bold in the right click context menu of the drive in My Computer (for any Windows object for that matter). For example the default action on a folder or a drive would be to Open the folder or drive. For a file it would be to open the file with the associated program. For the Local Area Connection Object in Network Connections it would be to show the Status of the connection.
An autorun.inf file normally contains the name of the file that has to be opened when the user performs the default action, which icon to use etc. You may have encountered legitimate autorun.inf files on CD-ROMs and DVDs. When you insert a CD-ROM containing software or game installation files (if AutoRun is enabled and if an autorun.inf file is present) the installation menu pops up allowing you to install the software. This executable is run automatically since Windows reads the autorun.inf file to find the name of the executable to be run, if any.
A simple autorun.inf file would contain the following:
Viruses go a step further in concealing their presence on the drive. They hide the autorun.inf file and the executable using the hidden and system attribute so that the file is not visible even after you ask Explorer to show hidden files. There are various ways to confirm the presence of an autorun.inf file in the root of your removable drive. The easiest would be to go to Start > Run > J:\autorun.inf where J is the drive letter for your USB drive. If notepad opens with the contents of the file then the file is obiviously present, else Windows will dsiplay a location unavailable error. The other method would be to open a command prompt instance and navigate to the drive and use the attrib command to see the attributes of the files in the root of the drive. If there is an autorun.inf file then you should be curious. If it has the S and H attribute set then you have to be suspicious.
Now that’s time consuming, some would say. I agree. Hence to ease my pain, I modified the right click menu of the drives using the Windows registry and added an option to view the attributes of files in the root of the drive.
Open the Windows Registry Editor by going to Start > Run > regedit
Navigate to HKEY_CLASSES_ROOT\Drive\shell using the left hand side tree structure. Right click on shell and select New > Key. Name the key as anything you want. Right click on the Default value on the right hand side under the new key you just created and select Modify. Change the Value data in the text box provided to any string that you want to see in the right click menu of the drives. Click on OK.
Right click the new key that you created and create another key below it and name it to command. Double-click the Default value under the command key and type the following in the Edit String box that pops up:
cmd /k echo Showing File Attributes && pushd "%1" && attrib && type autorun.inf && echo . && pause && exit
Select OK and close the registry editor. If everything was done as explained above, then you should have another option in the right click menu of the drives in My Computer. The new option now created will allow you to see the attributes of the files and their names in the root of the drive and the contents of the autorun.inf file if it exists, without opening the drive itself. The command prompt window will close when any key is pressed.
As the autorun.inf file provides the name of the executable, you can easily delete it using the path from the autorun.inf file. If the executable also has the S and H attributes set then use attrib -s -h -r
to remove the attributes and then a simple del would delete the file. You could then delete the autorun.inf file by removing its attributes through the command prompt and then deleting it using the delete command. Safely remove the USB drive and reinsert it to complete the task.
This Microsoft knowledgebase article provides an excellent procedure to disable autorun completely:
USB removable drive cleaned, without an antivirus. Time for some coffee.
Update: Download the driveattrib.zip file using the link given below. Extract the driveattrib.reg file and double click it to add the contents to the Windows Registry to automate the entire process. Click on Yes when presented with a dialog box asking for confirmation.