Panda USB and AutoRun Vaccine - a cure for autorun viruses on a flash drive
On March 5, I wrote my article about the AUTOSTOP script to protect flash drives from autorun viruses, which received a considerable response. And only today I am going to write a new article about an alternative (more reliable) method, as on one of the resources, in the topic of script discussion, I was prompted by the Panda USB and AutoRun Vaccine program, which works according to the method I wanted to describe. And working just brilliantly ! The autorun.inf file created by it on a flash drive (in order to prevent the virus from creating such a file) cannot be either deleted or renamed (which was the weakness of my script), nor modified, nor opened.
We will get to know the program more closely, consider its capabilities and the method on which the principle of operation is based.
')
First of all, I will talk about the method.
Just a few days after my publication of the article, user LJ __x_tra
Unsubscribed in my LiveJournal about an alternative way to protect the flash drive from autorun viruses, which he invented: a file or directory with the name AUTORUN.INF is created on the USB flash drive, and with WinHex this attribute is set to an invalid attribute. Let me remind you that according to the FAT32 File System Specification , better known as FATGEN (we here consider the protection of flash drives with FAT):
In the variant, invented __x_tra, it was proposed to put the two upper bits not at 0, but at 1. The attribute byte was as follows: 0xF7 (ATTR_ARCHIVE + ATTR_DIRECTORY + ATTR_SYSTEM + ATTR_HIDDEN + ATTR_READ_ONLY + two high-order bits 11). Still possible options in the form of 0xC7, 0xD7, 0xE7 were offered. I tested the method - it turned out to be working! AUTORUN.INF with the attribute assigned in this way could not be opened, renamed and modified. I was just confused by 2 factors:
We now return to the Panda USB and AutoRun Vaccine program.
Let me remind you that "Panda USB Vaccine currently only works on FAT & FAT32 USB drives". The small file size (only 393Kb) and the Spartan interface are all well thought out, nothing superfluous. I will add that the program is free.
I'll start with the “Vaccinate USB” button. I deliberately created autorun.inf file with RAHS attributes on a flash drive - this didn’t prevent the program, when I clicked on the mentioned button, to overwrite it with my eponymous file, which, as I said in the beginning of the article, “cannot be either deleted or renamed (in what was the weakness of my script), neither modify nor open. ” Open the USB flash drive in WinHex, look at the attribute of the file autorun.inf. And what we see:
We see that, similar to the __x_tra method, the file attribute is changed: 0x40 . In the article FAT12, FAT16 and FAT32 Windows File System we find the decryption that is not in FATGEN:
Those. 0x40 attribute is not so “incorrect” - it is “within specifications”. Frankly speaking, I am very glad that the guys from Panda Software implemented this method in a tiny program, by pressing only one button - without forcing the user to resort to WinHex.
I note that the program can not vaccinate flash drives. If you need to create your autorun.inf on a flash drive (for example, to make it bootable), then WinHex can help you or reformat (for this purpose, by the way, it’s good to use HP USB Disk Storage Format Tool).
The second button of the “Vaccinate computer” program . Check what she does:
This is familiar to me (even before creating the AUTOSTOP script, I used this particular method), invented by Nick Brown:
SYS : DoesNotExist tells explorer that he did not read the startup parameters from the Autorun.inf file, but read them from the registry branch HKEY_LOCAL_MACHINE \ SOFTWARE \ DoesNotExist, which does not exist. As a result, if the external media contains the file Autorun.inf - then when the media is connected to the computer, Autorun.inf does not start. Moreover, it does not start even if you double-click on the drive letter of this media in the explorer.
The method is good (I note that the program has a function to cancel this action, in case the user needs an autorun, performed by pressing the button again, which says “Remove vaccine” ), but I’ll add that to completely disable autorun it will be necessary to add 3 more registry keys (in the syntax given by me, they are added via the bat-file):
Of the additional features of the program, I note the following: if you start the program with a key (besides this key there are several more - see the program page )
then it will hang residently, and when a new flash drive is connected, it will suggest vaccinating it:
Of the currently known methods for protecting flash drives with FAT from autorun viruses, this is the most reliable one. It is clear that since such a program is able to do by Panda Software, then sooner or later virus writers can also learn this - but this is a matter of time, and in this case time is won, and the gain in favor of protection.
* It is interesting that the program Panda USB Vaccine 1.0.0.19 beta was released on March 5 - the same day when my article about the AUTOSTOP script was written. Perhaps in the future, March 5th will be called the international day of the fight against autorun viruses :)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
In the comments, the idea was expressed that it would be logical to make the protected autorun.inf file created by Panda USB and AutoRun Vaccine hidden (so as not to catch the eye of the user, and did not provoke him to reformat the USB flash drive, destroying the protection). And here Inskin found an elegant solution that, in general, lay on the surface: the file attributes are bitwise. Fold 0x40 (01000000) + 0x01 (00000001) + 0x02 (00000010) + 0x04 (00000100), we get 0x47 (01000111), and we have a protected file with RHS attributes . In the figure above, a fragment of the WinHex line, below it is a part of the FAR window:
I signed with __x_tra , and he kindly agreed to help.
The modified version, which exposes the attribute 0x47 to the file (use at your own risk): USBVaccine_47.zip (USBVaccine_47.exe, size - 1 182 464 bytes, the size is larger than the original version, because the original is compressed UPX, MD5: 5e3eb34bb09b1dda31dae00d8cd3521).
We will get to know the program more closely, consider its capabilities and the method on which the principle of operation is based.
')
METHOD
First of all, I will talk about the method.
Just a few days after my publication of the article, user LJ __x_tra
Unsubscribed in my LiveJournal about an alternative way to protect the flash drive from autorun viruses, which he invented: a file or directory with the name AUTORUN.INF is created on the USB flash drive, and with WinHex this attribute is set to an invalid attribute. Let me remind you that according to the FAT32 File System Specification , better known as FATGEN (we here consider the protection of flash drives with FAT):
File attributes:
ATTR_READ_ONLY 0x01
ATTR_HIDDEN 0x02
ATTR_SYSTEM 0x04
ATTR_VOLUME_ID 0x08
ATTR_DIRECTORY 0x10
ATTR_ARCHIVE 0x20
ATTR_LONG_NAME ATTR_READ_ONLY | ATTR_HIDDEN | ATTR_SYSTEM | ATTR_VOLUME_ID
The upper two bits of the attribute byte are reserved and should always be set to 0 when a file is created and never modified or looked at after that.
In the variant, invented __x_tra, it was proposed to put the two upper bits not at 0, but at 1. The attribute byte was as follows: 0xF7 (ATTR_ARCHIVE + ATTR_DIRECTORY + ATTR_SYSTEM + ATTR_HIDDEN + ATTR_READ_ONLY + two high-order bits 11). Still possible options in the form of 0xC7, 0xD7, 0xE7 were offered. I tested the method - it turned out to be working! AUTORUN.INF with the attribute assigned in this way could not be opened, renamed and modified. I was just confused by 2 factors:
- The correctness of this method: how it will affect the performance of the file system.
- Repeatability of the method: how to explain to a simple user what WinHex is and what it is eaten with.
PROGRAM
We now return to the Panda USB and AutoRun Vaccine program.
Let me remind you that "Panda USB Vaccine currently only works on FAT & FAT32 USB drives". The small file size (only 393Kb) and the Spartan interface are all well thought out, nothing superfluous. I will add that the program is free.
I'll start with the “Vaccinate USB” button. I deliberately created autorun.inf file with RAHS attributes on a flash drive - this didn’t prevent the program, when I clicked on the mentioned button, to overwrite it with my eponymous file, which, as I said in the beginning of the article, “cannot be either deleted or renamed (in what was the weakness of my script), neither modify nor open. ” Open the USB flash drive in WinHex, look at the attribute of the file autorun.inf. And what we see:
We see that, similar to the __x_tra method, the file attribute is changed: 0x40 . In the article FAT12, FAT16 and FAT32 Windows File System we find the decryption that is not in FATGEN:
0x40 Device (internal use only, never found on disk)
0x80 UnusedThose. 0x40 attribute is not so “incorrect” - it is “within specifications”. Frankly speaking, I am very glad that the guys from Panda Software implemented this method in a tiny program, by pressing only one button - without forcing the user to resort to WinHex.
I note that the program can not vaccinate flash drives. If you need to create your autorun.inf on a flash drive (for example, to make it bootable), then WinHex can help you or reformat (for this purpose, by the way, it’s good to use HP USB Disk Storage Format Tool).
The second button of the “Vaccinate computer” program . Check what she does:
This is familiar to me (even before creating the AUTOSTOP script, I used this particular method), invented by Nick Brown:
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf]
@="@SYS:DoesNotExist"
SYS : DoesNotExist tells explorer that he did not read the startup parameters from the Autorun.inf file, but read them from the registry branch HKEY_LOCAL_MACHINE \ SOFTWARE \ DoesNotExist, which does not exist. As a result, if the external media contains the file Autorun.inf - then when the media is connected to the computer, Autorun.inf does not start. Moreover, it does not start even if you double-click on the drive letter of this media in the explorer.
The method is good (I note that the program has a function to cancel this action, in case the user needs an autorun, performed by pressing the button again, which says “Remove vaccine” ), but I’ll add that to completely disable autorun it will be necessary to add 3 more registry keys (in the syntax given by me, they are added via the bat-file):
- REG ADD "HKLM \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Explorer \ AutoplayHandlers \ CancelAutoplay \ Files" / v "*. *" / D "" / f
In CancelAutoplay \ Files, there are text parameters containing the names of the files that, if they were found on the storage media, the built-in AutoRun will not start and will allow the media to run through autorun.inf. Add a string parameter as follows: *. * (All files). - REG ADD "HKLM \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ policies \ Explorer" / v NoDriveTypeAutoRun / t REG_DWORD / d 255 / f
NoDriveAutoRun prohibits booting from certain drives by their letter designation, and NoDriveTypeAutoRun prohibits booting from certain drives by their type. Since we don’t need an autorun at all, use the second one. - REG ADD "HKLM \ SYSTEM \ CurrentControlSet \ Services \ Cdrom" / v AutoRun / t REG_DWORD / d 0 / f
Cdrom - full shutdown of any support for autorun CDs (even manual).
Of the additional features of the program, I note the following: if you start the program with a key (besides this key there are several more - see the program page )
USBVaccine.exe /residentthen it will hang residently, and when a new flash drive is connected, it will suggest vaccinating it:
FINDINGS
Of the currently known methods for protecting flash drives with FAT from autorun viruses, this is the most reliable one. It is clear that since such a program is able to do by Panda Software, then sooner or later virus writers can also learn this - but this is a matter of time, and in this case time is won, and the gain in favor of protection.
* It is interesting that the program Panda USB Vaccine 1.0.0.19 beta was released on March 5 - the same day when my article about the AUTOSTOP script was written. Perhaps in the future, March 5th will be called the international day of the fight against autorun viruses :)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
UPD:
In the comments, the idea was expressed that it would be logical to make the protected autorun.inf file created by Panda USB and AutoRun Vaccine hidden (so as not to catch the eye of the user, and did not provoke him to reformat the USB flash drive, destroying the protection). And here Inskin found an elegant solution that, in general, lay on the surface: the file attributes are bitwise. Fold 0x40 (01000000) + 0x01 (00000001) + 0x02 (00000010) + 0x04 (00000100), we get 0x47 (01000111), and we have a protected file with RHS attributes . In the figure above, a fragment of the WinHex line, below it is a part of the FAR window:
I signed with __x_tra , and he kindly agreed to help.
The modified version, which exposes the attribute 0x47 to the file (use at your own risk): USBVaccine_47.zip (USBVaccine_47.exe, size - 1 182 464 bytes, the size is larger than the original version, because the original is compressed UPX, MD5: 5e3eb34bb09b1dda31dae00d8cd3521).
Source: https://habr.com/ru/post/54187/
All Articles