That article, by associate editor Scott Dunn, explained how to add a Registry key to block Windows' AutoRun function. After you do this, if you unknowingly insert a hacked CD, DVD, USB drive, or other external drive, it won't automatically infect your PC. The technique involves copying and pasting three lines of code into a NoAutoRun.reg file, then right-clicking the file, merging it into the Registry, and rebooting.

One of the lines of code is very long and looks as follows (it's all one line, but it word-wraps to two lines in small windows):

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf

Reader Rob Oppenheim wasn't the only reader who found that merging into the Registry the file he created had no effect, because he'd entered a line break where his e-mail program had word-wrapped that line:

• "In your [most recent] newsletter, you refer to a Web page that describes how to disable autoruns. The page describes a .reg file with a key that displays cialis mg dosage broken across two lines (at least on my machine it displays that way). Unfortunately, it's not obvious that there's a space in the key; that is, it should be 'Windows NT' and not 'WindowsNT.'

  "The page does explain that the key should be all on one line but does not mention that the space is required."
  

If this key shows up in your e-mail program as a single line, all is fine. However, if it wraps to two lines between "Windows" and "NT," and you manually type in the key, you may not realize that there should be a space between the two words, not a carriage return.

Several people tried life without AutoRun and decided they missed the feature. For example, after disabling AutoRun, you must manually open the autorun.inf file on any software disc you might want to auto-install. Marlin Brutlag puts it succinctly:

• "Is there a safe way to remove it [the block on Windows' AutoRun feature] if no longer desired?"
  

To restore Windows' default AutoRun behavior, simply delete the key that was created when you merged the NoAutoRun.reg file. To do this, open the Registry Editor: in Vista, click Start, but in XP, click Start, Run. Then type regedit and press Enter. In the left pane, navigate to the IniFileMapping key in the Registry path shown above. Expand the key, right-click Autorun.inf below it, and choose Delete.

After reading reader Scotty Burrous's description of how he brought a hard drive in his mother's PC back from the dead, I started to think I'd been watching too many scary movies:

• "My mom's laptop recently croaked. The two-year-old 60GB hard drive decided it had had enough and the platter quit spinning. I hooked it up to a 2.5-inch USB adapter after removing the cover, negating any and all out-of-date warranties, etc. When energized, the indicator LED — normally green — was red and the platter didn't move.

  "There were a few files my mom hadn't backed up — sigh, she's 86 years old — but decided she desperately needed. With tweezers, I manually rotated the platter on the hub, not touching the disk. I noticed it was difficult to turn, so I figured, 'What the hell?'

  "I purchased a container of butane — the stuff you refill a cigarette lighter with — and dispensed some of it (frequently) onto the bottom bearing. When energized, the platter spun up and I managed to get all the pertinent data from the drive! And with continued application of the butane, I ended up copying all the data from the (now) ex-drive."
  

Just as Susan predicted, the remote-code attacks started appearing shortly thereafter. On Oct. 26, Christopher Budd of the Microsoft Security Response Center posted the following in the MSRC blog:

"We are aware that people are working to develop reliable public exploit code for the vulnerability. We are aware of discussion about code posted on a public site, but our analysis has shown that code always results in a denial of service, to demonstrate the vulnerability. So far, we've not seen evidence of public, reliable exploit code showing code execution."

By mid-November, the Microsoft Malware Protection Center (MMPC) said in a blog posting that it had collected "over 50 distinct exploits of this vulnerability." However, MMPC said the instances were very limited: "We're getting a very small number of customer reports for these attacks."

Then Conficker.A hit the fan. (McAfee and Microsoft call the worm "Conficker," Sophos uses the name "Confick," and Symantec and F-Secure call it "Downadup"; but it's the same virus.) By Nov. 25, MMPC was raising the alarm on its blog in an attempt to get individuals and — especially — organizations to install the MS08-067 patch, which stops Conficker.A dead in its tracks.

At this point, the Conficker furor should've died down and the worm been relegated to the history books. Two inexorable forces, however, combined in early January 2009 to give the worm new life: system admins who weren't applying key patches and a ferociously fecund variant called Conficker.B.

How Conficker differs from other worms

In the not-so-good old days, Conficker.A arrived as a Trojan: in order to infect a PC, somebody had to run an infected program on the machine. It could also try to hit your machine directly, but any sort of firewall would thwart that attack. If the infected system was attached to a network, Conficker.A used the hole (that MS08-067 closes) to spread to other computers on the network. This modus operandi is kinda boring but moderately effective.

Bojan Zdrnja at the SANS Internet Storm Center detailed in this blog post how Conficker.B's autorun.inf file works. To see the brilliance in the deception, it helps to understand how autorun.inf files usually work.

Let's say I put an autorun.inf file on an empty USB drive that includes the following command:

[Autorun]
open=ACoolProgram.exe

Then I stick a file called ACoolProgram.exe on the USB drive. When I plug that USB drive into a bone-stock Vista machine, I get the AutoPlay notification message shown in Figure 1.

Figure 1. Vista's Autoplay displaying the results of a normal autorun.inf file.

On the other hand, if I wanted to get tricky, I could change autorun.inf so it takes over the default wording on Vista's Autoplay dialog. This autorun.inf file does that very thing:

[Autorun]
Action=Open folder to view files
Icon=%systemroot%\system32\shell32.dll,4
open=ACoolProgram.exe

When this file is placed on a USB drive that's inserted into a stock Vista PC, the AutoPlay notification shown in Figure 2 appears.

Figure 2. Vista's AutoPlay with a slightly altered autorun.inf file.

Note that the altered file pastes an icon into the AutoPlay notification that looks just like a folder icon. The autorun.inf file can say it's going to open a folder when in fact it's going to run an executable program.

When Conficker.B infects a USB drive, it creates just this type of autorun.inf file that pops up an AutoPlay notification identical to Figure 2. Clever — and for PC users, scary. Amazingly, this bit of autorun.inf infectious sleight-of-hand also works on the beta version of Windows 7.

Guide to cleaning and preventing Conficker

As of Jan. 16, 2009, F-Secure estimates in its blog that the number of Conficker-infected PCs jumped from 2.4 million to 8.9 million in just four days. Unfortunately, that number has been increasing by a million infections a day.

I don't blindly accept F-Secure's analysis, nor that of any other security-software vendor, but it has become quite apparent that an enormous number of PCs have caught this worm.

Even if you installed a retail version of Vista on an XP machine, you have to purchase a new copy of XP to revert to that OS. Fortunately, OEM versions of XP Home and Pro cost as little as $90 and $120, respectively, online. (Note that OEM releases can be installed on only one system and come with zero support from the vendor.)

Computerworld's Gregg Keizer describes the XP-downgrade limitations and offers step-by-step instructions for making the Vista-to-XP switch in this FAQ.

Other places to look for missing disk space

chkdsk x: /r

The x represents the letter of the drive you want to check, and the /r switch instructs the utility to repair errors, find bad sectors, and recover whatever data it's able to.

Microsoft's Help and Support site provides complete instructions for using the Chkdsk utility in article 315265 (the article specifies XP, but the information applies to Vista as well).

Scott Spanbauer reviews several free tools for detecting and removing rootkits in his May 22, 2008, Best Software cialis mail order title=”http://windowssecrets.com/links/casamqr63t9zd/16600eh/?url=windowssecrets.com%2F2008%2F05%2F22%2F05-Top-free-tools-for-rooting-out-rootkit-spies”>column (paid content).

Go to the source for a copy of Ubuntu on disc

As explained by Brian Krebs in an cialis jelly title=”http://windowssecrets.com/links/casamqr63t9zd/948e29h/?url=www.washingtonpost.com%2Fwp-dyn%2Fcontent%2Farticle%2F2008%2F11%2F12%2FAR2008111200658.html%3Fsid%3DST2008111801165%26s_pos%3D”>article at WashingtonPost.com, Hurricane — one of the two companies McColo depended on for its Internet connection — took the action after the newspaper informed the provider of McColo's role in hosting all sorts of Internet bad guys.

According to Krebs, McColo's clients included "international firms and syndicates that are involved in everything from the remote management of millions of compromised computers to the sale of counterfeit pharmaceuticals and designer goods, fake security products, and child pornography via e-mail."

The spam reduction held for a couple of weeks before rebounding, according to a Nov. 26 story at InfoWorld.com.

McColo's servers didn't send out the spam themselves. Instead, they provided the command and control for a vast network of PCs infected with malware. A collection of hacked PCs that have been turned into automated spamming machines is known as a robot network or "botnet." Security professionals name these botnets after the malware that runs them, which include Asprox, Rustock, Cutwail, and Srizbil.

The malware creators rent their botnets to spammers, who in turn use the control servers to coordinate the transmission of huge amounts of junk mail, as explained in another Washington Post story.

Your computer could be a spam zombie and you might never know it. And if you think your security software is keeping your computer safe from botnet slavery, you'd better think again.

A recent study by security firm FireEye revealed that antivirus products detect bots less than half the time. The study tested AV programs using Virus Total's free malware-scan service; consult that site for a list of the AV products tested.

Your four-step spambot-safety program

What can you do to prevent becoming a botnet victim? Although there are no perfect solutions, the following actions will help prevent your system from being compromised. (My thanks to the security blog written by Wiz Feinberg for many of the tips.)

Step 1: Keep your security products up-to-date. Although the FireEye study found little protection against bots from antivirus products, the study's author, FireEye chief scientist Stuart Staniford, did note that "AV works better and better on old stuff — by the time something has been out for a couple of months, and is still in use, it's likely that 70% to 80% of products will detect it."

Update your antivirus program regularly with the latest patches and virus definitions; even if the app doesn't catch the latest bot, your AV protection will reduce your risk of catching older malware still circulating around the Internet.

Step 2: Use a software firewall. By carefully monitoring your Internet connection, you'll reduce your risk of infection by botnet malware. By default, the firewalls built into Windows XP and Vista monitor only incoming connections. The firewalls can be configured to monitor outbound traffic, but doing so is technical and problematic for most users. The differences between the firewalls in XP and Vista are described in this Microsoft TechNet article.

Many free, third-party software firewalls are bidirectional. Third-party firewalls sometimes require updates after you install Patch Tuesday fixes from Microsoft, but the added functionality of these firewalls can make this inconvenience worth living with. WS senior editor Ian "Gizmo" Richards describes the best products in his July 31, 2008, column.

Step 3: Get a free diagnosis. Some security products are intended specifically to combat the botnet plague. For example, RUBotted is a free utility from Trend Micro that sits quietly in your system tray and monitors suspicious activity (more info). If the program spots an infection, it alerts you to take action. The program is currently a beta, but it worked fine for me.

According to a post by security blogger Feinberg, RUBotted encourages you to scan your system with Trend Micro's free HouseCall online virus-scanning service, which detects and removes many malware infections. Note that on my system, RUBotted uses 8MB of RAM.

Figure 1. Scan your system with Trend Micro's RUBotted to ensure that your PC is bot-free.

Full disclosure: Feinberg's blog is sponsored in part by RUBotted's manufacturer, Trend Micro. But I don't consider this to be an argument against using RUBotted.

Step 4: Try Norton AntiBot. Another bot-specific security product is Symantec's Norton AntiBot (more info). This $30 program claims to monitor, detect, and remove bots before they can cause harm. Norton AntiBot uses behavioral analysis rather than definitions for specific bots and received an Editor's Choice award from PC Magazine in 2007.

Microsoft has acknowledged that it will allow system builders to pay for installed copies of XP through May 30, rather than shutting down the pipeline this month.

If you order from your preferred vendor by Jan. 31, you may be able to rely on XP for new systems almost right up until the long-awaited Windows 7 ships, an event that's expected cialis instructions to occur within a few months.

Vista is looking more and more like the Edsel of the computer industry. Presumably as a result of slow uptake by corporations and individual users, Microsoft last month confirmed that it will allow OEMs and smaller-scale "system builders" to pay as late as May 30, 2009, for copies of XP ordered by Jan. 31. (Vendors won't have to pay Microsoft until the systems sell. MS previously had been expecting payments for copies of XP by Jan. 31.)

The details of Microsoft's new, flexible inventory program were first reported on the ChannelWeb site.

Combine this news with reports that Windows 7 may ship as early as mid-2009, and it looks like Microsoft is ready to relegate Vista to the binary scrapheap. Maybe the company's recent $300 million marketing push for Vista wasn't so successful as Microsoft claims it was.

As Mary Jo Foley states in her All About Microsoft blog, vendors of low-budget PCs such as netbooks were already being allowed to sell new systems based on XP through June 30, 2010, or one year after Windows 7 ships — whichever came first. Microsoft's new policy now gives a reprieve to builders of mainstream computers, and to end users who want to buy systems running Windows XP, not Vista, indefinitely or until Windows 7 is a proven commodity.

Will the Windows 7 RTM make an early entrance?

The official release of Beta 1 of Windows 7 to the public is widely expected to occur next week. If all goes well with the remaining testing, indications are that the final, RTM (released to manufacturing) version will be available as early as August. Lending support to this theory is the fact that the end-user license agreement of Beta 1, like all recent prerelease versions of Windows 7, states that the software will expire Aug. 1, 2009.

This feature — as well as the use of the product's built-in slmgr -rearm command to extend the beta's trial period without an activation key — was recently explained by Marius Oiaga of Softpedia. Other sources predict that Windows 7 won't ship to OEMs until October 2009, becoming available to end users the following month.

Early reviews of the Windows 7 beta, such as those summarized by the Telegraph of London, variously describe the new operating system as being not much different from Vista or representing an unspectacular-but-solid improvement. If Windows 7 turns out to have better performance and reliability than Vista, as some reviewers believe, the OS may gain a measure of relieved acceptance from end users after only a few months on the market.

Paying a premium to downgrade from Vista to XP

The extended availability of XP on new PCs will gladden the hearts of many Windows users. For a few unfortunates, however, the XP option is coming at great cost.

Eric Krangel reports on the Silicon Alley Insider blog that Dell has gradually been inflating its surcharge for "downgrading" a PC from Vista to XP. The bite rose last June from U.S. $20 to $50, then spiked in October to $100, and now is a whopping $150.

The fact that Dell's customers appear to be willing to pay this amount or more to avoid Vista may be the greatest indictment of Microsoft's unloved OS.

The reality is that the Redmond software giant has been forced by popular opinion to provide customers with a Vista-free option — an extended life for XP — more than two years after Vista's rollout. Depending on your point of view, this concession can be interpreted negatively as an act of desperation or more positively as a burst of marketing acumen on the company's part.