From: "Glenn Meadows" 

USB HD's fall into this category as well, as people will send USB HD's from
one site to another for a large bulk transfer of data.

Many USB HD Backup systems use the AutoRun feature to EASILY enable the
installation of their bundled Backup software.

--

Glenn M.
"Mike N"  wrote in message
news:4606e46a$1{at}w3.nls.net...
> John Beckett wrote on Sat, 05 August 2006 05:32
>> Some small entertainment:
>>
>> Create file autorun.inf as below (three lines - the last two lines shown
>> below should be on one line).
>> Copy it to root of a USB memory stick.
>> Remove and insert memory stick.
>> In My Computer, double click the memory stick (or right-click, Open).
>>
>> ---File autorun.inf---
>> [AutoRun]
>> Open= cmd.exe /k color 4e && echo Gotcha!
shell\Open\command= cmd.exe /k
>> for /l %%a in (1,1,9) do start
>>     cmd.exe /k color %%ae ^&^& prompt Gotcha! ---end---
>>
>> ---Alternative File autorun.inf---
>> [AutoRun]
>> Open= cmd.exe /k color 4e && echo Gotcha!
shell\Open\command= cmd.exe /k
>> for /l %%a in (1,1,10) do calc.exe
>>
>> ---end---
>>
>> In the above, we are running cmd.exe from your system. You can run any
>> executable that you care to put on the USB.
>>
>> In the original of this, 'cmd.exe' was actually '.\cmd.exe' (and a copy
>> of
>> cmd.exe was on the memory stick). If anyone can tell me whether the '.\'
>> is serving any useful or malware function, please let me know.
>>
>> John
>
>
>
> I revisited this thread because malware is now using this technique to
> spread.   It's scary and nasty.   It's not like the old floppy disk stuff:
> you only got infected if you were stupid and rebooted with the floppy in
> the drive.   This one zaps you if you just open a USB drive with Windows
> Explorer.   Instantly.  EVEN IF YOU HAVE DISABLED AUTOPLAY AND AUTORUN FOR
> ALL DRIVES AND DRIVE TYPES using NoDriveAutoRun  and NoDriveTypeAutoRun in
> the article at
> http://msdn.microsoft.com/library/default.asp?url=/library/en-us/shellcc/plat
form/shell/programmersguide/shell_basics/shell_basics_extending/autorun/autopla
y_reg.asp.
>
>  Think you're careful and don't exchange data with just anyone using USB
> sticks?  What if the client you are exchanging data with had exchanged
> data with his son's infected computer the night before?  Virus scanners
> don't detect new viruses as a rule rather than the exception.   You can't
> even preview the USB drive contents in any way except from a command line.
> And the general public won't be using ZTree as do we geeks.   And who's to
> say ZTree won't end up invoking the AutoDetect in a future version?
>   The answer is contained here:
> http://www.microsoft.com/technet/security/Bulletin/MS07-006.mspx in the
> somewhat-related article on elevation of privilege in Windows Shell.
> Check out the steps under "Vulnerability details / Workarounds / Disable
> the Shell hardware detection service".
>
> Quote:
>> Disabling the Shell Hardware Detection service will help protect the
>> affected system from attempts to exploit this vulnerability. To disable
>> the Shell Hardware Detection service, follow these steps:
>>
>> 1.  Click Start, and then click Control Panel. Alternatively, point to
>> Settings, and then click Control Panel.
>>
>> 2.  Double-click Administrative Tools.
>>
>> 3.  Double-click Services.
>>
>> 4.  Double-click Shell Hardware Detection service.
>>
>> 5.  In the Startup type list, click Disabled.
>>
>> 6.  Click Stop, and then click OK.
>>
>> You can also stop and disable the Shell Hardware Detection service by
>> using the following command at the command prompt:
>>
>> sc stop ShellHWDetection & sc config ShellHWDetection start= disabled
>>
>> Impact of Workaround: If you disable the Shell Hardware Detection
>> service, you may not be able to utilize Fast User Switching capabilities.
>> Therefore, we recommend this workaround only on systems that do not
>> require the use of Fast User Switching.
>
>
>  I can understand the convenience of AutoPlay - although it is a
> mild-to-serious problem.  But to unleash the feature of auto executing
> configuration programs from a USB stick is ludicrous.  Even Microsoft
> seems to recognize this in their advisory about autorun.inf -
>
> Quote:
>> Note   This feature should not be used to distribute applications on
>> floppy disks. Because implementing AutoRun on a floppy disk provides an
>> easy way to spread computer viruses, users should be suspicious of any
>> publicly distributed floppy disk that contains an Autorun.inf file.
>
>
>  I would add "be suspicious of ALL USB sticks with Autorun.inf as
well.",
> although you can only inspect them from a command prompt.
>
>  Anyone: Is Vista also susceptible with the Shell Hardware Detection
> service (AKA AutoVirusExecute) enabled?
>
>
>

--- BBBS/NT v4.01 Flag-5