Panda USB and AutoRun Vaccine - a cure for autorun viruses on a flash drive

    On March 5, I wrote my article on the AUTOSTOP script to protect flash drives from autorun viruses, which received a considerable response. And just today I was going to write a new article about an alternative (more reliable) method, as on one of the resources, in the topic devoted to the discussion of the script, I was prompted by the Panda USB and AutoRun Vaccine program , working exactly according to the method that I wanted to describe. And working just brilliantly ! The autorun.inf file created by it on a USB flash drive (in order to prevent the creation of such a file by a virus) can neither be deleted nor renamed (what was the weakness of my script), nor modified, nor opened.

    image

    Let's get to know the program better, consider its capabilities and the method on which the principle of work is based.


    METHOD


    First of all, I will talk about the method.

    Just a few days after I published the article, LJ __x_tra user
    unsubscribed in my LJ about an alternative way to protect a flash drive from autorun viruses, which he came up with: a file or directory called AUTORUN.INF is created on the flash drive, and using WinHex this file or directory an invalid attribute is set. Let me remind you that according to the FAT32 File System Specification , better known as FATGEN (we are considering the protection of flash drives with FAT here): In the version invented by __x_tra

    File attributes:
    ATTR_READ_ONLY 0x01
    ATTR_HIDDEN 0x02
    ATTR_SYSTEM 0x04
    ATTR_VOLUME_ID 0x08
    ATTR_DIRECTORY 0x10
    ATTR_ARCHIVE 0x20
    ATTR_LONG_NAME ATTR_READ_ONLY | ATTR_HIDDEN | ATTR_SYSTEM | ATTR_VOLUME_ID
    The upper two bits of the attribute byte are reserved and should always be set to 0 when a file is created and never modified or looked at after that.


    it was proposed to put the two upper bits not in 0, but in 1. The attribute byte turned out like this: 0xF7 (ATTR_ARCHIVE + ATTR_DIRECTORY + ATTR_SYSTEM + ATTR_HIDDEN + ATTR_READ_ONLY + two high bits 11). Possible options in the form of 0xC7, 0xD7, 0xE7 were also offered. I tested the method - it turned out to be working! AUTORUN.INF with the attribute assigned in this way could not be opened, renamed and modified. I was only confused by 2 factors:
    • The correctness of this method: how it will affect the performance of the file system.
    • Repeatability of the method: how to explain to a simple user what WinHex is and what it is eaten with.


    PROGRAM


    Now back to the Panda USB and AutoRun Vaccine program.

    image

    Let me remind you that "Panda USB Vaccine currently only works on FAT & FAT32 USB drives." Small file size (only 393Kb) and Spartan interface - everything is thought out, nothing more. I will add that the program is free.

    I'll start with the “Vaccinate USB” button . I deliberately created an autorun.inf file with RAHS attributes on a flash drive in advance - this in no way prevented the program from clicking on the button to overwrite it with my file of the same name, which, as I said at the beginning of the article, “cannot be deleted or renamed (in what was the weakness of my script), neither to modify nor to open. " Open the USB flash drive in WinHex, look at the attribute of the autorun.inf file. And what do we see:

    image

    We see what is similar to the __x_tra method, file attribute changed: 0x40 . In the article FAT12, FAT16 and FAT32 Windows File System we find a decryption that is not in FATGEN: i.e. attribute 0x40 is not so “incorrect” - it is “within the specifications”. To be honest, I am very glad that the guys from Panda Software implemented this method in a tiny program, by pressing just one button - without forcing the user to resort to WinHex. I note that it is impossible to cancel vaccination of a flash drive using the program. If there is a need to create your autorun.inf on a USB flash drive (for example, to make it bootable), then WinHex can help you or reformat it (for this purpose, by the way, it is good to use the HP USB Disk Storage Format Tool). The second button of the program "Vaccinate computer"

    0x40 Device (internal use only, never found on disk)
    0x80 Unused






    . We verify that it does:

    image

    It's familiar to me (before the creation AUTOSTOP script, I used this method) Nick Brown invented the method : the SYS : DoesNotExist Explorer'u says that he did not read startup options from the Autorun.inf file, and read them in the thread registry HKEY_LOCAL_MACHINE \ SOFTWARE \ DoesNotExist, which does not exist. As a result, if the external medium contains the Autorun.inf file, then when the medium is connected to the computer, Autorun.inf does not start. Moreover, it does not start even when double-clicking on the drive letter of this medium in the explorer. The method is good (I note that the program has a function to undo this action, in case the user still needs an autorun, by pressing the button again, the inscription on which will be

    REGEDIT4
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf]
    @="@SYS:DoesNotExist"



    “Remove vaccine” ), but I’ll add that to completely disable autorun, it will be necessary to add 3 more registry keys (in the syntax I gave, they are added through the bat file):

    • REG ADD "HKLM \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Explorer \ AutoplayHandlers \ CancelAutoplay \ Files" / v "*. *" / D "" / f
      CancelAutoplay \ Files contains text parameters containing the names of the files found on the media the built-in AutoRun will not start and will allow the media to start through autorun.inf. Add a string parameter of the following content: *. * (All files).
    • REG ADD "HKLM \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ policies \ Explorer" / v NoDriveTypeAutoRun / t REG_DWORD / d 255 / f
      Using NoDriveAutoRun, it is forbidden to boot from specific drives by their letter designation, and NoDriveTypeAutoRun prevents them from loading from specific drives by type. Since we do not need autoran at all, we use the second.
    • REG ADD "HKLM \ SYSTEM \ CurrentControlSet \ Services \ Cdrom" / v AutoRun / t REG_DWORD / d 0 / f
      Cdrom - completely disable all support for autorun CDs (even manual).


    Among the additional features of the program, I note the following: if you start the program with a key (besides this key there are several more - see the program page )

    USBVaccine.exe /resident

    then it will hang residently, and when you connect a new flash drive, it will offer to vaccinate it:

    image

    CONCLUSIONS


    Of the methods known to me today to protect flash drives with FAT from autorun viruses, this is the most reliable. It is clear that since the Panda Software program can do such things, sooner or later virus writers can learn this too - but this is a matter of time, and in this case time is won, and the gain is in favor of protection.

    * It is interesting that the Panda USB Vaccine 1.0.0.19 beta program was released on March 5, the same day that my article about the AUTOSTOP script was written. Perhaps in the future March 5 will be called the international day against autorun viruses :)

    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

    UPD:


    In the comments, the idea was expressed that it would be logical to make the protected autorun.inf file created by “Panda USB and AutoRun Vaccine” hidden (so as not to catch the user's eye and not provoke him to reformat the flash drive, destroying the protection). And Inskin found an elegant solution that, in general, lay on the surface: the file attributes are bitwise. Add 0x40 (01000000) + 0x01 (00000001) + 0x02 (00000010) + 0x04 (00000100), we get 0x47 (01000111), and we have a protected file with RHS attributes . In the figure above, a fragment of the WinHex line, below it is part of the FAR window:



    I wrote off __x_tra , and he kindly agreed to help.
    A modified version that sets the file attribute 0x47 (use at your own risk):USBVaccine_47.zip (USBVaccine_47.exe, size - 1 182 464 bytes, the size is larger than the original version, because the original is compressed by UPX, MD5: 5e3eb34bb09b1dda31dae0dfd8cd3521).

    Also popular now: