Malwares’ distribution by USB-flash

From Total Malware Info

The method of malwares’ distribution bases on analysis content from USB-flash before the opening by OS Windows XP. If the root directory contains the file “Autorun.inf” then it takes the managing. It happens with CD or DVD that contains similar files. This file gets the managing when the USB-flash is open by “Explorer.” The implementation of this method can be possible when Autorun from removable disks is enabled by the register keys. This possibility is forbidden by default in Windows XP Pro, but it’s enabled by default in Windows XP Home, because it’s designed for an ordinary user. Due to these reasons these methods of malwares’ distribution haven’t become very popular yet. The malware can enable Autorun from removable disks and it could be done by a person (“Insider”).

How it works?

1. File “Autorun.inf” could be putted into a root directory of some removable disks. For example:

     	[AutoRun]
           open = <Path_To_Malware>
           shellexecute = <Path_To_Malware>

2. Executable file could be putted into a root directory or into some another directory on the removable disk.
3. The file “Autorun.inf” or a directory that contains this file has attributes “Hidden” and/or “System”.
4. The directories have the names like other system directories have:
   • "Recycler"
   • "System Restrore"
   • "ScanDiskLog" and etc.

Displaying the content from USB-flash by “Explorer”:

Availability of the follower is needed for copying the malwares to a USB-flash. The follower can be implemented or hidden by the next methods:

1. Using the Rootkit-technologies;
2. Using similar names as system directories have for the installation;
3. Injecting installer’s code into an application and interception the managing;
4. Registry changes or edition of configuration files. It provides autoload of the installer;
5. Loading the malware before the OS starting (System of drivers or BOOT-sector).

The following actions can reduce the probability of the malwares’ distribution by USB-flash:

1. Using file managers (FAR, Total Commander etc.);
2. Scanning removable disks by anti-virus before the opening;
3. Visual verification of the content before using (Hidden directories, file “Autorun.inf”, etc.);
4. Unable Autorun for removable disks.

This is the most reliable way. Unable Autorun and control the following registry keys:

For 2000, XP Pro, 2003:

Start – Run – type - ‘gpedit.msc’ – OK – Computer Configuration – Administrative Templates – System – Unable Autorun (choose where you want to unable). Then apply this command ‘gpupdate’ into console.

For XP Home:

1. Start – Run – type ‘regedit’ – OK;
2. Open HKLM\SOFTWARE\Micrоsoft\Windows\CurrentVersion\Policies.
3. Create a new part;
4. Rename the new part as “Explorer”;
5. Create the registry key NoDriveTypeAutoRun in this part : Possible registry keys:
   • 0x1 – unable Autorun for unknown drives;
   • 0x4 - unable Autorun for removable devises;
   • 0x8 - unable Autorun for irremovable devises;
   • 0x10 - unable Autorun for network drives;
   • 0x20 - unable Autorun for CD-drives;
   • 0x40 - unable Autorun for RAM-drives;
   • 0x80 – unable Autorun for unknown drives;
   • 0xFF – unable Autorun for all drives.
   The keys can be combined.

Also you can create a text file with extension “*reg” . The content of this file:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom]
"AutoRun"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Micrоoparationsystemoft\
Windows\CurrentVersion\policies\Explorer\NoDriveTypeAutoRun]
"NoDriveTypeAutoRun"=dword:000000b5

[HKEY_CURRENT_USER\Software\Micrоsoft\Windows\
CurrentVersion\Policies\Explorer]"NoDriveTypeAutoRun"=dword:000000b5

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Explorer\AutoplayHandlers\CancelAutoplay\Files]
"*.*"=""