The following is excerpted from a column by Woody Leonhard in the outstanding Windows Secrets email newsletter.
The person or persons who wrote Conficker gave the USB-drive-infection routine a diabolical little twist. As you might expect, the infection comes in the form of an autorun.inf file, which (usually) runs automatically when the USB stick gets stuck in the computer. But the social engineering in that autorun.inf file is quite remarkable.
To see the brilliance in the deception, it helps to understand how autorun.inf files usually work.
Let’s say I put an autorun.inf file on an empty USB drive that includes the following command:
[Autorun]
open=ACoolProgram.exe
Then I stick a file called ACoolProgram.exe on the USB drive. When I plug that USB drive into a stock Vista machine, I get the AutoPlay notification message shown in Figure 1.
Autoplay reacting to a normal autorun.inf
Figure 1. Vista’s Autoplay displaying the results of a normal autorun.inf file.
On the other hand, if I wanted to get tricky, I could change autorun.inf so it takes over the default wording on Vista’s Autoplay dialog. This autorun.inf file does that very thing:
[Autorun]
Action=Open folder to view files
Icon=%systemroot%system32shell32.dll,4
open=ACoolProgram.exe
When this file is placed on a USB drive that’s inserted into a stock Vista PC, the AutoPlay notification shown in Figure 2 appears.
Autoplay reacting to a slightly modified autorun.inf
Figure 2. Vista’s AutoPlay with a slightly altered autorun.inf file.
Note that the altered file pastes an icon into the AutoPlay notification that looks just like a folder icon. The autorun.inf file can say it’s going to open a folder when in fact it’s going to run an executable program.
When Conficker.B infects a USB drive, it creates just this type of autorun.inf file that pops up an AutoPlay notification identical to Figure 2. Clever — and for PC users, scary. Amazingly, this bit of autorun.inf infectious sleight-of-hand also works on the beta version of Windows 7.
Guide to cleaning and preventing Conficker
As of Jan. 16, 2009, F-Secure estimates in its blog that the number of Conficker-infected PCs jumped from 2.4 million to 8.9 million in just four days. Unfortunately, that number has been increasing by a million infections a day.
I don’t blindly accept F-Secure’s analysis, nor that of any other security-software vendor, but it has become quite apparent that an enormous number of PCs have caught this worm.
Even though a Conficker-infected PC may not be able to access Microsoft.com — and Conficker probably disabled the PC’s automatic-update function, too — getting rid of the worm is surprisingly easy.
Step 1: Check your passwords. If you have an administrator account with an easily guessed password, change it. Microsoft provides a guide to strong passwords that includes a link to the company’s online password checker. If somebody other than you controls your computer’s admin password, make sure that person understands the gravity of this situation.
Step 2: Make sure you’ve installed the patch described in MS08-067. Open Control Panel’s Add or Remove Programs list to ensure that KB 958644 has been installed. Click Start (plus Run in XP), type appwiz.cpl, and press Enter. In XP, make sure Show updates at the top of the window is checked. In Vista, click View installed updates on the left to see all of your PC’s patches.
The update in question was probably installed in late October or November of last year; look for Security Update for Microsoft Windows (KB958644). If this patch isn’t installed, browse to Microsoft’s Download Center to retrieve and install it. If your PC is blocked from visiting this site, use a noninfected PC to download the patch to a removable medium and install the update on the wormed PC from that device.
Step 3: Run Microsoft’s Malicious Software Removal Tool (MSRT). The latest version of this Microsoft tool identifies and removes all of the Conficker variants I’ve heard about. The easiest way to get MSRT is through Windows Update, but if you can’t get through to that service on the infected PC, borrow a computer and download the tool from Microsoft’s site.
Step 4: Disable AutoPlay. If Figure 2 doesn’t convince you of the risk of using Windows’ AutoPlay feature, nothing will. Simply stated, you don’t need AutoPlay that much. Follow the advice in Scott Dunn’s Top Story from the Nov. 8, 2007, issue for comprehensive instructions to disable AutoPlay.
Those four steps will ensure that your PC isn’t one of the million — or nine million, or 12 million — machines currently playing host to the Conficker worm and its variants.
Jonathan Webster, eGroup
www.egroup-us.com
