in Windows

AutoRun in Windows considered harmful

Recently I started taking a basic course in Computer-Aided Design (CAD) at George Brown College – mostly for interest’s sake, although it’s partly because my day job at CBC is exposing me more and more to the engineering side of things, and I imagine it’ll only be a matter of time before I’ll have to start looking at technical drawings. The instructor recommended on day one that we all purchase USB memory keys to save our work, because there are no personal home directories on the George Brown network. Thus begins the sorry tale of how I managed to get a virus on my CBC-issued Windows laptop – thanks Microsoft!

Many of you know that Windows has an Autoplay “feature” that causes it to read the contents of an autorun.inf file placed on removable media, and execute the program specified therein, whenever that media is inserted in a computer. I always thought this was a terribly annoying feature even back in the days of Windows 95 and CD-ROMs, but now it’s being exploited as a vector for virus propagation. This is exactly what happened to me: it turns out that George Brown has a nasty worm called WORM_LEGMIR.FU floating around their network, and it copies itself, with a referencing autorun.inf, to any writable removable media, like your USB stick. Thanks to Windows’ Autoplay feature, when you subsequently take that USB stick and insert it in another Windows computer, that machine is instantly infected. Thanks Bill!

It gets better. Many anti-virus programs, such as the CA eTrust that my company uses, are unable to fully remove the worm from the computer, because Windows has some other wonderful features, such as Super Hidden Files: using the registry entry HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorerAdvanced, you can create files that are “Super Hidden” and cannot be seen by most applications. These files actually have nothing more than the Hidden and System bits set, but with this registry entry turned on, Windows won’t let you touch them. It’s a perfect mechanism for virii to hide their DLLs and EXEs in an undeletable way!

This set of so-called “features” just illustrates the shoddiness of Microsoft’s software design. Again, it’s clear that these features come from marketing departments, rather than having been derived from any sound technical analysis. In retrospect, my laptop really had no chance; the fact that you can infect a Windows-based PC by doing nothing more than walking up to it and inserting a piece of removable media (even a CD-ROM) is stunning. In order to stop this particular attack vector, you must hack the operating system beforehand (by disabling Autoplay), or, I suppose, gluing your USB slots shut and removing the CD-ROM or floppy drive.

I did manage to disinfect my laptop by following the instructions on Trend Micro’s website – but those instructions aren’t for the faint of heart. (I also had to put the USB stick in my Linux PC and delete the offending autorun.inf and the virus, because obviously I wasn’t going to put it in another Windows PC to do that!) Many of my fellow not-so-computer-savvy classmates came to the conclusion that they should just throw away their $50 USB sticks and get new ones; something I can’t wholly discourage if they don’t have access to a Linux box or a Mac.