Panda USB and AutoRun Vaccine

The MS Windows OS-es uses the AUTORUN.INF file from removable drives (USB, CD, DVD,…) in order to know which actions to perform when a new external storage device is inserted into the PC. This is good for movies, install CDs and other friendly “things” but unfortunately the malware uses the same way to attack your computer…

The AUTORUN.INF file is a configuration file that is normally located in the root directory of removable media. The malware achieves this by copying a malicious executable in the drive and modifying the AUTORUN.INF file. Windows will open this malicious file silently as soon as the drive is mounted and you probably wouldn’t notice this until you see something strange with your computer. Then it is already to late 🙁

Panda USB Vaccine is a free solution designed to protect your computer against this threats. You can disable AutoRun feature on computer and USB drives. This is a very useful tool as there is no easiest way to disable the AutoRun feature.

USB

When ever you insert USB removable drive, you will be asked to vaccinate it.

Part 2

The lines above are made for regular Windows users and here is the hard way to “vaccinate” your removable drives without Panda software.

If you don’t have autorun.inf file on your removable drive, create a blank autorun.inf with your favorite text editor (Notepad or Notepad2 for example). The main idea is to have autorun.inf on your drive, but it should be “damaged” so we won’t be able to delete it (unless you format your drive), edit, rename, etc. I forget to say, that you should leave this file empty (blank).

Its best to make sure the USB key is blank or data backed up before going to next step. Download HEX editor for Windows (for example HxD) and open your USB device in read and write mode (Extras – Open Disk – choose USB drive and remove check box from “Open as Readonly”). Search the disk for the string “autorun” in non-unicode form.

41 55 54 4F 52 55 4E 20 49 4E 46 20
A  U  T  O  R  U  N     I  N  F

All we need to change is the last byte. The current value of the byte is 0×20 has the archive bit set. Change this byte to 0×40, which sets the device bit (which is never normally found on a disk) and save changes.

HxD

41 55 54 4F 52 55 4E 20 49 4E 46 40
A  U  T  O  R  U  N     I  N  F  @

To test this operation, try to delete autorun.inf file. You should see the warning pop-up with an error.

1 thought on “Panda USB and AutoRun Vaccine

Leave a Reply

Your email address will not be published. Required fields are marked *