Using PowerShell to Protect Against Conficker (Enabling and Disabling AutoRun.inf)

Using PowerShell to Protect Against Conficker (Enabling and Disabling AutoRun.inf)

  • Comments 3

On the front page of MSN.com today, there’s details about a new worm, Conficker, that spreads using the good old fashioned autorun.inf tricks.  It infects USB drives so that, when you plug the drive into another computer, it automatically runs and infects the machine.  The article mentioned a post on Nick Brown’s blog that instructs you on various ways to disable autorun.inf files and gives a .REG file for disabling autorun.inf.

Here’s the .REG file:

REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf]
@="@SYS:DoesNotExist"

Recently, I’ve started to like taking small registry hacks and turning them into functions, so here’s a pair of functions that I wrote to automate this registry setting with PowerShell.

function Disable-AutoRun
{
    $item = Get-Item `
        "REGISTRY::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\IniFileMapping\AutoRun.inf" `
        -ErrorAction SilentlyContinue
    if (-not $item) {
        $item = New-Item "REGISTRY::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\IniFileMapping\AutoRun.inf"
    }
    Set-ItemProperty $item.PSPath "(default)" "@SYS:DoesNotExist"
}

Here's Nick's explanation of how it works:

This hack tells Windows to treat AUTORUN.INF as if it were a configuration file from a pre-Windows 95 application. IniFileMapping is a key which tells Windows how to handle the .INI files which those applications typically used to store their configuration data (before the registry existed). In this case it says "whenever you have to handle a file called AUTORUN.INF, don't use the values from the file. You'll find alternative values at HKEY_LOCAL_MACHINE\SOFTWARE\DoesNotExist." And since that key, er, does not exist, it's as if AUTORUN.INF is completely empty, and so nothing autoruns, and nothing is added to the Explorer double-click action. Result: worms cannot get in - unless you start double-clicking executables to see what they do, in which case, you deserve to have your PC infected.

In case you want to enable autorun again, you can use this function:

function Enable-AutoRun
{
    Remove-Item "REGISTRY::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\IniFileMapping\AutoRun.inf" -Force
}

Hope this Helps,

James Brundage [MSFT]

Leave a Comment
  • Please add 2 and 3 and type the answer here:
  • Post
  • James, thanks for posting this.  It does seems that this solution, jointly found by my colleague Emin Atac and me, is the simplest way to stop worms on removable storage.  We rolled it out on our corporate network 15 months ago when these worms were just a minor annoyance and I know from talking to other network administrators that this form of malware has become a major headache in the meantime.

    Nick

  • Thanks for the response Nick.  I hope you're finding PowerShell helpful in your enterprise.

    James Brundage [MSFT]

  • Thank you for submitting this cool story - Trackback from DotNetShoutout

Page 1 of 1 (3 items)