Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    August 2015
    S M T W T F S
    « Jul    
  • Email Subscription

  • About Us

    Removable drives are one of the most common infection vectors for malware today. Worms propagate via these vectors to proliferate their payload and ultimately, infect more users.

    Users need to perform some countermeasures to secure their systems. One way of doing this is to protect removable drives against worms using the Autorun feature.

    One popular way of protecting removable drives is by creating a folder or file and renaming it as AUTORUN.INF. It could enable the malware to automatically run on the system even without the users executing it. By creating this file beforehand, ideally, worms would not be able to run in this way.

    However, this method is not perfect. Worms can delete the existing AUTORUN.INF file or folder, and then replace it with a malicious version. This would negate any protection placed by the user on the said file. However, by using file permissions to restrict changes, the AUTORUN.INF file can be protected more effectively.

    Note: Make sure that your external drive is formatted using NTFS, as this procedure uses a specific feature of NTFS. If your removable drive is formatted using either FAT or FAT32, back up any data on the said drive first and reformat using NTFS. This may require Windows Vista or Windows 7.

    1. Create a new folder in the root directory of the removable disk and rename it as “AUTORUN.INF.”
    2. Create four more folders in the same location and named it as “recycle,” “recycler,” “recycled,” and “setup” respectively.

      Note: The folders recycle, recycler, recycled and setup are optional but it is recommended for users to create these as malware often use these names/titles.

    3. Open a command prompt (cmd.exe) and go to the root directory of your removable drive.
    4. Set the folder attributes using the following DOS command:
      attrib autorun.inf /s /d –a +s +r

      Click for larger view
      Figure 1. Setting the folder attributes

    5. Set the privilege level of the folder using the following DOS command:
      cacls autorun.inf /c /d administrators

      Click for larger view
      Figure 2. Setting the privilege level of the folder

    6. Select ‘Y’ and press enter when the message, “Are you sure (Y/N)?” is prompted.
    7. To test it, try to delete, modify, rename, copy, or open the created folder. If you cannot perform any of these functions, then the procedure is successful.

    Figure 3. When the user deletes the created folder, the system displays this message prompt.

    In addition to the above procedure, users may also choose to use hardware means of protection. Certain removable drives have an external switch that prevents the device from being written to. This would prevent malware from making any modifications to the drive, including the AUTORUN.INF file. However, as this may prove to be somewhat inconvenient, it is still a good idea to use the procedure shown above.

    In the past, Trend Micro has blogged about prominent threats that propagated via removable drives:

    Such threats could have been avoided from further propagation by simply protecting your removable drive.

    Share this article
    Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon

    • Christian Potencia

      Hi Diego and Supermutt,

      I'm sorry for the late reply.

      If you are going to use these folders (recycle, recycler, recycled, setup) in your removable drives, you just need to do the same procedure as you did in "autorun.inf" folder.

      These folders are just optional because there are only some (not all) of the worm malwares are using these folders to hide themselves. However, I don't recommend the use of these optional folders in your system drive (usually drive C) because the Windows OS is also using the folders recycler and recycled for backup purposes of the deleted files.

      Thanks Andre for the nice feedback you provided. =)

    • Andre

      Yes, you should also run the cacls command to the other folders you created. The lines you should run would be:

      cacls recycle /c /d administrators
      cacls recycler /c /d administrators
      cacls recycled /c /d administrators
      cacls setup /c /d administrators

      I think the author just forgot to mention it :]

    • Supermutt

      diego_moicano got a good question there.
      What about the folders recycle, recycler, recycled and setup ?
      Should they have procedure done with them as autorun.inf, or just left alone ?

      If they are just left alone, why is that ?

    • Pingback: 讓你的 USB等可移除式硬碟百毒不侵 | No Money No Honey()

    • diego_moicano

      Hi Christian Potencia

      Very nice!

      Question: What was done with the autorun.inf folder should I do with these: recycle, recycler, recycled and setup folders?


    • Christian Potencia (Threat Response Engineer)

      Hi Tim Cline,

      It seems that the URL you provided is not accesible as of this moment. We will be glad if you will also post here the updated link of your article so that we may view it. Thank you.

    • Pingback: USB Removable Drives - Locking down security to improve malware protection - Harry Waldron - Corporate IT Security()

    • Andre

      Readers might want to add the “h” parameter to make the folders hidden. The commands would be:
      attrib autorun.inf /s /d –a +s +r +h

    • Tim Cline


      I am responsible for security awareness at our site (Univ. of North Carolina at Chapel Hill). We already have an article in our central help site about the dangers of autorun (see I would like to add information from your article above to supplement the article we already have. Would you grant permission to allow this? I would be happy to provide the appropriate attribution.

      • Miray Lozada (Technical Communications)

        Sure. Great you’re able to find our info helpful. Do post link of your article back here so we can visit it too. Best of luck.

      • Miray Lozada (Technical Communications)

        Go ahead Tim. And sorry for not replying sooner.

    • Pingback: Protect removable drives from virus/malware | TechChase()

    • Pingback: How to Maximize the Malware Protection of Your Removable Drives « Friendly Computers Virus Alerts()

    • frank

      Or just use linux.

    • Tom

      This hotfix will take care of the autorun.inf problem. Autoplay will still function but double clicking on the icon in My Computer will not run the file. This hotfix is only for removable drives. CD’s are not changed.


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice