From: Mike N 

John Beckett wrote on Sat, 05 August 2006 05:32
> Some small entertainment:
>
> Create file autorun.inf as below (three lines - the last two lines shown
> below should be on one line).
> Copy it to root of a USB memory stick.
> Remove and insert memory stick.
> In My Computer, double click the memory stick (or right-click, Open).
>
> ---File autorun.inf---
> [AutoRun]
> Open= cmd.exe /k color 4e && echo Gotcha!
> shell\Open\command= cmd.exe /k for /l %%a in (1,1,9) do start
>     cmd.exe /k color %%ae ^&^& prompt Gotcha!
> ---end---
>
> ---Alternative File autorun.inf---
> [AutoRun]
> Open= cmd.exe /k color 4e && echo Gotcha!
> shell\Open\command= cmd.exe /k for /l %%a in (1,1,10) do calc.exe
>
> ---end---
>
> In the above, we are running cmd.exe from your system. You can run any
> executable that you care to put on the USB.
>
> In the original of this, 'cmd.exe' was actually '.\cmd.exe' (and a copy of
> cmd.exe was on the memory stick). If anyone can tell me whether the '.\'
> is serving any useful or malware function, please let me know.
>
> John



I revisited this thread because malware is now using this technique to
spread. It's scary and nasty.   It's not like the old floppy disk stuff:
you only got
infected if you were stupid and rebooted with the floppy in the drive.   This
one zaps you if you just open a USB drive with Windows Explorer.   Instantly.
EVEN IF YOU HAVE DISABLED AUTOPLAY AND AUTORUN FOR ALL DRIVES AND DRIVE
TYPES using NoDriveAutoRun  and NoDriveTypeAutoRun in the article at
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/shellcc/platfo
rm/shell/programmersguide/shell_basics/shell_basics_extending/autorun/autoplay_
reg.asp.

  Think you're careful and don't exchange data with just anyone using USB
sticks?  What if the client you are exchanging data with had exchanged data
with his son's infected computer the night before?  Virus scanners don't
detect new viruses as a rule rather than the exception.   You can't even
preview the
USB drive contents in any way except from a command line.  And the general
public won't be using ZTree as do we geeks.   And who's to say ZTree won't
end
up invoking the AutoDetect in a future version?

   The answer is contained here: http://www.microsoft.com/technet/security/Bull
etin/MS07-006.mspx in the somewhat-related article on elevation of
privilege in Windows Shell.   Check out the steps under "Vulnerability
details / Workarounds
/ Disable the Shell hardware detection service".

Quote:
> Disabling the Shell Hardware Detection service will help protect the affected
system from attempts to exploit this vulnerability. To disable the Shell
Hardware Detection service, follow these steps:
>
> 1.  Click Start, and then click Control Panel. Alternatively, point to
Settings, and then click Control Panel.
>
> 2.  Double-click Administrative Tools.
>
> 3.  Double-click Services.
>
> 4.  Double-click Shell Hardware Detection service.
>
> 5.  In the Startup type list, click Disabled.
>
> 6.  Click Stop, and then click OK.
>
> You can also stop and disable the Shell Hardware Detection service by using
the following command at the command prompt:
>
> sc stop ShellHWDetection & sc config ShellHWDetection start= disabled
>
> Impact of Workaround: If you disable the Shell Hardware Detection service,
you may not be able to utilize Fast User Switching capabilities. Therefore,
we recommend this workaround only on systems that do not require the use of
Fast User Switching.


  I can understand the convenience of AutoPlay - although it is a
mild-to-serious problem.  But to unleash the feature of auto executing
configuration programs from a USB stick is ludicrous.  Even Microsoft seems
to recognize this in their advisory about autorun.inf -

Quote:
> Note   This feature should not be used to distribute applications on floppy
disks. Because implementing AutoRun on a floppy disk provides an easy way
to spread computer viruses, users should be suspicious of any publicly
distributed floppy disk that contains an Autorun.inf file.


  I would add "be suspicious of ALL USB sticks with Autorun.inf as well.",
although you can only inspect them from a command prompt.

  Anyone: Is Vista also susceptible with the Shell Hardware Detection service
(AKA AutoVirusExecute) enabled?

--- BBBS/NT v4.01 Flag-5