Autorun is a feature of Windows Operating System generally used by CD’s to automatically load desired application when you insert the CD or double-click the CD drive. This feature is exploited by virus writers to spread virus via removable drives, so that when you double-click your removable drive (pen drive, thumb drive, usb mass storage devices, mobiles, digital camera, etc.), the desired virus application runs on your system without your knowledge and infects your computer.

You always have questions like:
What is autorun.inf?
Is autorun.inf a virus?
How is autorun.inf help virus to execute?
How to use safely view files inside a removable drive or pendrive?
How to safely remove autorun.inf file?
What are the precautions measures?
Does autorun.inf folder really prevents virus infection?
How Right click and Explore on removable drive can still infect your system?
How to create your own autorun.inf file for CDs?

Autorun.inf

This is a configuration file that has the instructions to be performed when you double-click / right-click the drive icon.

It may also contain information about the icon of the drive.

This file can be found in the root directory of the removable drive or CD drives. E.g., “E:\autorun.inf”

Most people think it’s a virus, but it’s not. But it is of great help for the spread of virus. It is effective only if there also exists some infecting virus file along with it. All alone, this file is harmless. The only use of autorun.inf to to execute the targeted virus file.

Autorun.inf controls the following

-Icon of the drive
-Double-click
-Right-click menu
-Autoplay
-Autoplay menu

How to increase internet speed
How to prevent phishing attacks
How to block proxy websites for schools
How to change DNS server

Wiki DNS Server

DNS Server translates URL names to IP addresses.
It has also been used by ISPs to redirect to advertisements.

http://en.wikipedia.org/wiki/Domain_Name_System

Why do you need a DNS server?

To access any website, say Google, you need to know only its URL, that is www.google.com, you need not know the IP address where the website is running from, which is actually an alternate way, http://74.125.236.81/.

DNS server resolves the easy-to-remember URL to its corresponding not-so-easy-to-remember IP address.

Flushing existing DNS

Once resolved, the URL-IP is saved for a few hours/days locally.
Open CMD prompt and give the following commands
ipconfig /flushdns

Benefits of using DNS servers

Faster DNS resolution
Phishing protection
Web content filtering
Detailed statistics
Typo correction
No software to install
Real time protection

Free DNS Providers

Check out each DNS servers to find out what features they provide

Google Free DNS

8.8.8.8
8.8.4.4

http://code.google.com/speed/public-dns/

OpenDNS

208.67.222.222
208.67.220.220

https://store.opendns.com/get/home-free

OpenDNS (Family shield)

208.67.222.123
208.67.220.123

Norton DNS Security

198.153.192.60
198.153.194.60

https://dns.norton.com/dnsweb/dnsForHome.do

How to change DNS

There are two methods to change DNS.

1. Changing DNS for individual computer

Control Panel > Network Connections > {your internet connection} > Properties > Internet Protocol (TCP/IP) > Properties > General tab > Use the following DNS server addresses
Enter the Primary and Secondary DNS Server name.
Note : Changing DNS will not affect your IP address.

Changing DNS settings

2. Changing DNS for the Router for all connected computers

Open the router setting website. Generally http://192.168.0.1/ or http://192.168.1.1/
Enter login ID and password. Generally admin and admin.
Navigate to Interface Setup > LAN
Change DNS Relay option to Use User Discovered DNS Server Only
Enter the Primary and Secondary DNS Server name.
Note : The above mentioned settings may vary from router to router.

DNS Setting for Router

Anti-virus websites are blocked.
Search engines are blocked.
When you try to open a website, some unexpected website loads.
Hosts file is hijacked.

Wiki for HOSTS file

The “hosts” file is a system file used to map hostnames to IP addresses.
By default, there is only one entry in the file.

With this setting, the actual website at http://127.0.0.1/ can be accessed when you enter http://localhost/ in browser.

How would you feel, if you type google.com is any browser and you land somewhere else.

Viruses may modify hosts file for silent phishing attack, blocking anti-virus websites, blocking search engines.

Example

The following modified hosts file will have two implications
Access to the website kaspersky.com will be blocked.
Access to the website google.com will redirect you to yahoo.com(98.137.149.56).

127.0.0.1 localhost

# Following redirections may be added by virus
127.0.0.1 kaspersky.com # This will block the kaspersky website
98.137.149.56 google.com # This will redirect to some other website(98.137.149.56), when you try accessing google

The Real Threat

Because of its role in local name resolution, the hosts file represents an attack vector for malicious software.
Viruses modify the hosts file to redirect you to malicious/fraud/unwanted websites when you try to open legitimate website.
On the web-browser’s address bar you will see the correct address that you have entered, but the actual contents will be from the malicious website.

Type 1 : DOS Attack

The file may be hijacked and modified to redirect traffic from the intended destination to sites hosting content that may be offensive or intrusive.
The virus W32.MyDoom@mm used this to create a distributed denial-of-service(DOS) attack in 2004.

http://en.wikipedia.org/wiki/Mydoom.B

Type 2 : Blocking Websites

Some viruses can block your access to the Anti-Virus websites using HOSTS file.
The installed anti-virus will be unable to update its virus-definition.
The search engines may be blocked to prevent you searching for the solution.

http://www.f-secure.com/v-descs/qhost.shtml

Type 3 : Phishing Attack

The banking/social networking websites may be redirected to phishing websites to steal credentials.

http://en.wikipedia.org/wiki/Phishing

Solution

Most of the anti-virus do not fix the hosts file due to complications and it has to be done manually.

• Open the following directory
  %windir%/system32/drivers/etc/
• Create a backup file before you modify the hosts file.
• Remove read-only property for hosts file.
• Open the file in Notepad.
• Delete all lines with suspected URL’s and IP’s contents.
• Do not delete the following default line
  127.0.0.1 localhost

Features:
*This tool can be used to remove virus/suspected files from pendrive.
*Instructions are provided at the botom of each step.
*Build on VB.net, this application is much superior to the previous v1.0
*Improved “hunt-and-delete” has been integrated in this version.
+Automatic selection for connected pendrive.
+Details for the selected drive.
+Displays contents of autorun.inf
+Individual options to fix registries.
+Calls CHKDSK utility to detect and fix bad sectors.
+Most appreciating “hunt-and-delete” feature with multiple options.

Whats not:
-Files marked for deletion are deleted permanently.(not sent to Recycle Bin)
-Registry change is not reversible.
-This tool only to be used on removable drives.

Whats next:
*Safely remove drive feature in the next builds.

Image Caption

To disable autorun using Group Policy Editor
Start » Run » gpedit.msc
Go to Computer Configuration » Administrative Templates » System
Double-click
Turn off Autoplay
Select
Enabled
Turn off Autoplay on = All Drives

Start » Run » Regedit
Go to HKEY_CURRENT_USER » SOFTWARE » Microsoft » Windows » CurrentVersion » Policies » Explorer » NoDriveTypeAutorun
Set the following value
NoDriveTypeAutorun = FF (Hexadecimal) or 255 (Decimal) Disables AutoRun on all kinds of drive

To disable autorun of CD drive
Start » Run » Regedit
Go to HKEY_LOCAL_MACHINE » System » CurrentControlSet » Services » CdRom
Set following values
AutoRun = 0 (to disable autorun on CDs)
AutoRun = 1 (to enable)

Hold on SHIFT key while inserting CD in CDROM

Start » Run » cmd
Type
c:\Documents and Settings\abc\>x:
x:\>dir /a autorun.inf
Check if the autorun file exists
If yes, then change the attributes of the file by typing
x:\>attrib autorun.inf -R -H -S
Now you will be able to see the autorun.inf file visually in Windows Explorer.
View the contents of autorun.inf (using the safe method mentioned above), before you delete them.
Delete the file by typing
x:\>del /P /F /A autorun.inf

If you are unable to delete the autorun.inf file
or
the autorun.inf file appears again and again.
Then you can conclude that your system is infected by some virus.

In such case you have to remove the virus from your system then only you can get rid of this autorun.inf.

1. Double-clicking a drive may infect your computer with the virus on the drive.
2. Even Right-click » Open or Right-click » Explore may lead to the virus infection.
3. If you think that autorun.inf can infect only if its in the root folder of a drive, then you are wrong. Think again. Even network drives have autorun properties. A network drive linked to a folder, containing an infecting autorun.inf file, on a network behaves the same way, when you double-click the drive.

Using Autorun.inf Folder

If you create a folder named AUTORUN.INF in the root directory of a drive, most of the viruses are unable to delete such folders to replace with their own infecting autorun.inf file, this is possible because almost all the virus programs have codes to replace/delete the autorun.inf file and not the folder. You may be safe for sometime, but not longer until a better virus breaks in.

Best Practices

1. To view files inside a drive to use the tree-view of Windows Explorer.
   My Computer » View » Explorer Bar » Folders
   Click on the removable/pendrive on the left side tree-view folder panel to explore, instead of double-clicking the drive.
2. Typing the drive name on the address-bar of Windows Explorer.
   My Computer » click on Address Bar » Type x:\

Here, you will find information about latest virus threats and solution to remove them even if your anti-virus is unable to remove.

Download Heals for viruses and many more software tools and utilities.

Find tutorials for removing virus from your computer and pendrives. Learn how to remove viruses manually by yourself and become a virus troubleshooter.

Report new and latest viruses and request a Heal for it.

Get reviews about various gadgets, softwares and web-services.

Have fun kicking out viruses.
:)