February 12, 2009

If NoAutoRun.reg doesn’t work, you may need space


Dennis O'Reilly By Dennis O'Reilly

The way word-wrapping alters line breaks in some browser windows thwarted a few of our readers' attempts to disable AutoRun.

If you manually typed a line break where the code requires a space, and you couldn't get the file to work, a simple change will do the trick.


Windows Secrets contributing editor Woody Leonhard authored a Jan. 22 Top Story on the Conficker/Downadup worm and included a link to a Nov. 8, 2007, article.

That article, by associate editor Scott Dunn, explained how to add a Registry key to block Windows' AutoRun function. After you do this, if you unknowingly insert a hacked CD, DVD, USB drive, or other external drive, it won't automatically infect your PC. The technique involves copying and pasting three lines of code into a NoAutoRun.reg file, then right-clicking the file, merging it into the Registry, and rebooting.

One of the lines of code is very long and looks as follows (it's all one line, but it word-wraps to two lines in small windows):

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf

Reader Rob Oppenheim wasn't the only reader who found that merging into the Registry the file he created had no effect, because he'd entered a line break where his e-mail program had word-wrapped that line:

  • "In your [most recent] newsletter, you refer to a Web page that describes how to disable autoruns. The page describes a .reg file with a key that displays cialis mg dosage broken across two lines (at least on my machine it displays that way). Unfortunately, it's not obvious that there's a space in the key; that is, it should be 'Windows NT' and not 'WindowsNT.'

    "The page does explain that the key should be all on one line but does not mention that the space is required."

If this key shows up in your e-mail program as a single line, all is fine. However, if it wraps to two lines between "Windows" and "NT," and you manually type in the key, you may not realize that there should be a space between the two words, not a carriage return.

Regardless how the Registry key appears in your browser, if you copy the lines from Scott's article and paste them into your text editor to create a NoAutoRun.reg file, the space between "Windows" and "NT" will be included.

Delete the key to restore your AutoRun

Several people tried life without AutoRun and decided they missed the feature. For example, after disabling AutoRun, you must manually open the autorun.inf file on any software disc you might want to auto-install. Marlin Brutlag puts it succinctly:

  • "Is there a safe way to remove it [the block on Windows' AutoRun feature] if no longer desired?"

To restore Windows' default AutoRun behavior, simply delete the key that was created when you merged the NoAutoRun.reg file. To do this, open the Registry Editor: in Vista, click Start, but in XP, click Start, Run. Then type regedit and press Enter. In the left pane, navigate to the IniFileMapping key in the Registry path shown above. Expand the key, right-click Autorun.inf below it, and choose Delete.

See Microsoft Knowledge Base article 310516 for details on adding, deleting, and modifying Registry keys.

Resuscitate a dead drive by giving it the gas

After reading reader Scotty Burrous's description of how he brought a hard drive in his mother's PC back from the dead, I started to think I'd been watching too many scary movies:

  • "My mom's laptop recently croaked. The two-year-old 60GB hard drive decided it had had enough and the platter quit spinning. I hooked it up to a 2.5-inch USB adapter after removing the cover, negating any and all out-of-date warranties, etc. When energized, the indicator LED — normally green — was red and the platter didn't move.

    "There were a few files my mom hadn't backed up — sigh, she's 86 years old — but decided she desperately needed. With tweezers, I manually rotated the platter on the hub, not touching the disk. I noticed it was difficult to turn, so I figured, 'What the hell?'

    "I purchased a container of butane — the stuff you refill a cigarette lighter with — and dispensed some of it (frequently) onto the bottom bearing. When energized, the platter spun up and I managed to get all the pertinent data from the drive! And with continued application of the butane, I ended up copying all the data from the (now) ex-drive."

I'm going to take Scotty's word that this tip actually worked — but kids, don't try the butane-on-the-bearing trick without adult supervision! (I can't help wondering what Scotty tried on the sick drive before he turned to lighter fluid.)

Permalink • Print • Comment

Keep the latest worm infestation off your PC


Woody Leonhard By Woody Leonhard

It's been a hellacious week for security admins all over the world: the polymorphic worm known as Downadup, Conficker, and Kido has infected millions of computers.

Fortunately, you can scan, scour, and secure your systems by following four relatively simple steps.


Remember the patch that Microsoft released suddenly — "out of cycle" in the parlance — back in October 2008? Windows Secrets followed suit with an out-of-cycle news bulletin about the patch on Oct. 24. Susan Bradley recommended that readers immediately install the update described in MS08-067 (KB article 958644) to protect against "a remote-code attack that could spread wildly across the Internet."

Just as Susan predicted, the remote-code attacks started appearing shortly thereafter. On Oct. 26, Christopher Budd of the Microsoft Security Response Center posted the following in the MSRC blog:

"We are aware that people are working to develop reliable public exploit code for the vulnerability. We are aware of discussion about code posted on a public site, but our analysis has shown that code always results in a denial of service, to demonstrate the vulnerability. So far, we've not seen evidence of public, reliable exploit code showing code execution."

By mid-November, the Microsoft Malware Protection Center (MMPC) said in a blog posting that it had collected "over 50 distinct exploits of this vulnerability." However, MMPC said the instances were very limited: "We're getting a very small number of customer reports for these attacks."

Then Conficker.A hit the fan. (McAfee and Microsoft call the worm "Conficker," Sophos uses the name "Confick," and Symantec and F-Secure call it "Downadup"; but it's the same virus.) By Nov. 25, MMPC was raising the alarm on its blog in an attempt to get individuals and — especially — organizations to install the MS08-067 patch, which stops Conficker.A dead in its tracks.

At this point, the Conficker furor should've died down and the worm been relegated to the history books. Two inexorable forces, however, combined in early January 2009 to give the worm new life: system admins who weren't applying key patches and a ferociously fecund variant called Conficker.B.

How Conficker differs from other worms

In the not-so-good old days, Conficker.A arrived as a Trojan: in order to infect a PC, somebody had to run an infected program on the machine. It could also try to hit your machine directly, but any sort of firewall would thwart that attack. If the infected system was attached to a network, Conficker.A used the hole (that MS08-067 closes) to spread to other computers on the network. This modus operandi is kinda boring but moderately effective.

Conficker.B uses the Conficker.A approach, plus a whole lot more — as a "blended threat," it's an equal-opportunity infecter. The MMPC's TechNet blog offers an excellent, graphical overview of the ways that Conficker.B can get into your network. Here are the main attack vectors:

  • Conficker.B uses the old Conficker.A approach: simple Trojans that arrive via e-mail or by downloading an infected program.

  • Once a PC on a network is infected, Conficker.B reaches across the network to see whether any of its PCs have not yet patched the MS08-067 hole. After infecting these unprotected PCs, Conficker plugs the MS08-067 hole, presumably so other, similar worms can't get in. What a sneaky buzzard!

  • If Conficker.B finds that it can't get into a computer via the MS08-067 hole, it tries to break in by using the standard Windows admin account, entering each of 248 common passwords. This weak password list (which you'll find under the Analysis tab) includes such all-time favorites as admin, mypass, test, foo, 1111, and many others you may have seen before.

  • Once Conficker.B gains entry to a networked machine, it drops a copy of itself onto the target's hard drive and creates a scheduled job that runs the infected file. Conficker.B also loads itself onto all accessible shared folders. Ho-hum.

  • Finally, Conficker.B scans and infects all removable devices on the system, including USB drives and external hard drives.

That last step intrigues me the most because the person or persons who wrote Conficker gave the USB-drive-infection routine a diabolical little twist. As you might expect, the infection comes in the form of an autorun.inf file, which (usually) runs automatically when the USB stick gets stuck in the computer. But the social engineering in that autorun.inf file is quite remarkable.

The worm's tricky twist on autorun.inf

Bojan Zdrnja at the SANS Internet Storm Center detailed in this blog post how Conficker.B's autorun.inf file works. To see the brilliance in the deception, it helps to understand how autorun.inf files usually work.

Let's say I put an autorun.inf file on an empty USB drive that includes the following command:

[Autorun]
open=ACoolProgram.exe

Then I stick a file called ACoolProgram.exe on the USB drive. When I plug that USB drive into a bone-stock Vista machine, I get the AutoPlay notification message shown in Figure 1.

Autoplay reacting to a normal autorun.inf
Figure 1. Vista's Autoplay displaying the results of a normal autorun.inf file.

On the other hand, if I wanted to get tricky, I could change autorun.inf so it takes over the default wording on Vista's Autoplay dialog. This autorun.inf file does that very thing:

[Autorun]
Action=Open folder to view files
Icon=%systemroot%\system32\shell32.dll,4
open=ACoolProgram.exe

When this file is placed on a USB drive that's inserted into a stock Vista PC, the AutoPlay notification shown in Figure 2 appears.

Autoplay reacting to a fancy autorun.inf
Figure 2. Vista's AutoPlay with a slightly altered autorun.inf file.

Note that the altered file pastes an icon into the AutoPlay notification that looks just like a folder icon. The autorun.inf file can say it's going to open a folder when in fact it's going to run an executable program.

When Conficker.B infects a USB drive, it creates just this type of autorun.inf file that pops up an AutoPlay notification identical to Figure 2. Clever — and for PC users, scary. Amazingly, this bit of autorun.inf infectious sleight-of-hand also works on the beta version of Windows 7.

Guide to cleaning and preventing Conficker

As of Jan. 16, 2009, F-Secure estimates in its blog that the number of Conficker-infected PCs jumped from 2.4 million to 8.9 million in just four days. Unfortunately, that number has been increasing by a million infections a day.

I don't blindly accept F-Secure's analysis, nor that of any other security-software vendor, but it has become quite apparent that an enormous number of PCs have caught this worm.

Even though a Conficker-infected PC may not be able to access Microsoft.com — and Conficker probably disabled the PC's automatic-update function, too — getting rid of the worm is surprisingly easy.

    cialis medicine 0pt; padding-bottom: 0pt; margin-left: 17px; padding-top: 0pt”>

  • Step 1: Check your passwords. If you have an administrator account with an easily guessed password, change it. Microsoft provides a guide to strong passwords that includes a link to the company's online password checker. If somebody other than you controls your computer's admin password, make sure that person understands the gravity of this situation.

  • Step 2: Make sure you've installed the patch described in MS08-067. Open Control Panel's Add or Remove Programs list to ensure that KB 958644 has been installed. Click Start (plus Run in XP), type appwiz.cpl, and press Enter. In XP, make sure Show updates at the top of the window is checked. In Vista, click View installed updates on the left to see all of your PC's patches.

    The update in question was probably installed in late October or November of last year; look for Security Update for Microsoft Windows (KB958644). If this patch isn't installed, browse to Microsoft's Download Center to retrieve and install it. If your PC is blocked from visiting this site, use a noninfected PC to download the patch to a removable medium and install the update on the wormed PC from that device.

  • Step 3: Run Microsoft's Malicious Software Removal Tool (MSRT). The latest version of this Microsoft tool identifies and removes all of the Conficker variants I've heard about. The easiest way to get MSRT is through Windows Update, but if you can't get through to that service on the infected PC, borrow a computer and download the tool from Microsoft's site.

  • Step 4: Disable AutoPlay. If Figure 2 doesn't convince you of the risk of using Windows' AutoPlay feature, nothing will. Simply stated, you don't need AutoPlay that much. Follow the advice in Scott Dunn's Top Story from the Nov. 8, 2007, issue for comprehensive instructions to disable AutoPlay.

Those four steps will ensure that your PC isn't one of the million — or nine million, or 12 million — machines currently playing host to the Conficker worm and its variants.

Permalink • Print • Comment

Downgrading Vista to XP is possible … maybe


Dennis O'Reilly By Dennis O'Reilly

Reverting a Vista PC to XP requires an installation CD for each OS and can be done only on OEM editions of Vista Business and Ultimate.

Users of Vista Home Basic and Home Premium — and anyone who used a retail version of Vista to upgrade an XP machine — must buy a copy of XP to make the switch.


Last week's Top Story on Microsoft's decision to extend yet again the deadline for buying a PC with Windows XP installed caused many readers to wonder whether they could dump their copy of Vista in favor of its predecessor. Reader Jim Harvey put it this way:

  • "We have Vista Home Edition installed on a newly refurbished Gateway computer purchased for my wife for Christmas. However, trying to cope with all the operational changes in Vista has proven to be too frustrating for her.

    "We would like to downgrade the new computer back to the old XP license we have on our replaced computer, but we don't know how to do so. Is there a legitimate way to install our old licensed version of XP , still on the replaced computer, onto our new Gateway and get rid of Vista?"

Unfortunately, the only way you can revert a machine running Vista Home Basic or Home Premium is to buy a copy of XP and install it over the Vista configuration. However, anyone who bought a PC with an OEM edition of Vista Business or Vista Ultimate can downgrade to XP Pro.

Even if you installed a retail version of Vista on an XP machine, you have to purchase a new copy of XP to revert to that OS. Fortunately, OEM versions of XP Home and Pro cost as little as $90 and $120, respectively, online. (Note that OEM releases can be installed on only one system and come with zero support from the vendor.)

Computerworld's Gregg Keizer describes the XP-downgrade limitations and offers step-by-step instructions for making the Vista-to-XP switch in this FAQ.

Other places to look for missing disk space

Fred Langa's Jan. 8, 2009, column (paid content) described several ways to recover hard-disk space. Reader Kevin Kleinhomer wrote in to remind us of a couple of other tools that might help track down the missing bytes.

  • "In his most recent article, Fred talks about a reader with missing space, but I think he missed a very important tip for the reader: Chkdsk. It could be a corrupted file system that is the root cause of the missing disk space. I have seen this many, many times.

    "A less likely possibility would be a rootkit. Booting off one of the many recently reported-on [rootkit-revealing] tools would hopefully turn this up."

Running Windows' built-in disk-checking utility couldn't be easier: click Start, Run (in XP) or just Start (in Vista), type cmd, and press Enter. At the command prompt, type the following:

chkdsk x: /r

The x represents the letter of the drive you want to check, and the /r switch instructs the utility to repair errors, find bad sectors, and recover whatever data it's able to.

Microsoft's Help and Support site provides complete instructions for using the Chkdsk utility in article 315265 (the article specifies XP, but the information applies to Vista as well).

Scott Spanbauer reviews several free tools for detecting and removing rootkits in his May 22, 2008, Best Software cialis mail order title=”http://windowssecrets.com/links/casamqr63t9zd/16600eh/?url=windowssecrets.com%2F2008%2F05%2F22%2F05-Top-free-tools-for-rooting-out-rootkit-spies”>column (paid content).

Go to the source for a copy of Ubuntu on disc

The rap on Linux — at least among Windows users — has long been that the alternative OS is too difficult to install and use. Scott Spanbauer's Jan. 8, 2009, Best Software column (paid content) described the free Wubi installer utility for the Ubuntu distribution of Linux. Reader Howard Harner points out that you can also get a free copy of Ubuntu on disc, if you're patient.

  • "I'm glad to see your discussion of Ubuntu, since I have been using it as an alternative to uSoft [Microsoft Windows] for years. For older computers, cruising the Web, and copying CDs, it's great.

    "You didn't mention that one can get a free disk from Ubuntu that contains two versions of the OS — a full-install copy and a version that will run on top of Windows — by going to their Web site and filling out the short application form. It usually takes less than two weeks to receive it."

In fact, many Windows users choose to run Ubuntu off the CD rather than to create a hard-drive partition for the OS. Of course, you can burn your own Ubuntu CD. You'll find the download and instructions for creating your disc on the Ubuntu Community Documentation page.

Permalink • Print • Comment

Has your PC become a spammer’s botnet zombie?


Scott Dunn By Scott Dunn

Worldwide spam traffic dramatically dropped after a major spam server was temporarily shut down last fall, raising public awareness of botnets: networks of PCs that have been turned into spam-spewing robots.

Most antivirus applications are ill-equipped to stop this kind of malware, but you can reduce the risk of having your PC become zombified.

Last November, a provider of Internet connectivity named Hurricane Electric pulled the plug on hosting company McColo. Immediately, the worldwide volume of spam dropped a whopping 65%, according to some estimates.

As explained by Brian Krebs in an cialis jelly title=”http://windowssecrets.com/links/casamqr63t9zd/948e29h/?url=www.washingtonpost.com%2Fwp-dyn%2Fcontent%2Farticle%2F2008%2F11%2F12%2FAR2008111200658.html%3Fsid%3DST2008111801165%26s_pos%3D”>article at WashingtonPost.com, Hurricane — one of the two companies McColo depended on for its Internet connection — took the action after the newspaper informed the provider of McColo's role in hosting all sorts of Internet bad guys.

According to Krebs, McColo's clients included "international firms and syndicates that are involved in everything from the remote management of millions of compromised computers to the sale of counterfeit pharmaceuticals and designer goods, fake security products, and child pornography via e-mail."

The spam reduction held for a couple of weeks before rebounding, according to a Nov. 26 story at InfoWorld.com.

McColo's servers didn't send out the spam themselves. Instead, they provided the command and control for a vast network of PCs infected with malware. A collection of hacked PCs that have been turned into automated spamming machines is known as a robot network or "botnet." Security professionals name these botnets after the malware that runs them, which include Asprox, Rustock, Cutwail, and Srizbil.

The malware creators rent their botnets to spammers, who in turn use the control servers to coordinate the transmission of huge amounts of junk mail, as explained in another Washington Post story.

Your computer could be a spam zombie and you might never know it. And if you think your security software is keeping your computer safe from botnet slavery, you'd better think again.

A recent study by security firm FireEye revealed that antivirus products detect bots less than half the time. The study tested AV programs using Virus Total's free malware-scan service; consult that site for a list of the AV products tested.

Your four-step spambot-safety program

What can you do to prevent becoming a botnet victim? Although there are no perfect solutions, the following actions will help prevent your system from being compromised. (My thanks to the security blog written by Wiz Feinberg for many of the tips.)

Step 1: Keep your security products up-to-date. Although the FireEye study found little protection against bots from antivirus products, the study's author, FireEye chief scientist Stuart Staniford, did note that "AV works better and better on old stuff — by the time something has been out for a couple of months, and is still in use, it's likely that 70% to 80% of products will detect it."

Update your antivirus program regularly with the latest patches and virus definitions; even if the app doesn't catch the latest bot, your AV protection will reduce your risk of catching older malware still circulating around the Internet.

Step 2: Use a software firewall. By carefully monitoring your Internet connection, you'll reduce your risk of infection by botnet malware. By default, the firewalls built into Windows XP and Vista monitor only incoming connections. The firewalls can be configured to monitor outbound traffic, but doing so is technical and problematic for most users. The differences between the firewalls in XP and Vista are described in this Microsoft TechNet article.

Many free, third-party software firewalls are bidirectional. Third-party firewalls sometimes require updates after you install Patch Tuesday fixes from Microsoft, but the added functionality of these firewalls can make this inconvenience worth living with. WS senior editor Ian "Gizmo" Richards describes the best products in his July 31, 2008, column.

Step 3: Get a free diagnosis. Some security products are intended specifically to combat the botnet plague. For example, RUBotted is a free utility from Trend Micro that sits quietly in your system tray and monitors suspicious activity (more info). If the program spots an infection, it alerts you to take action. The program is currently a beta, but it worked fine for me.

According to a post by security blogger Feinberg, RUBotted encourages you to scan your system with Trend Micro's free HouseCall online virus-scanning service, which detects and removes many malware infections. Note that on my system, RUBotted uses 8MB of RAM.

Trend Micro RUBotted
Figure 1. Scan your system with Trend Micro's RUBotted to ensure that your PC is bot-free.

Full disclosure: Feinberg's blog is sponsored in part by RUBotted's manufacturer, Trend Micro. But I don't consider this to be an argument against using RUBotted.

Step 4: Try Norton AntiBot. Another bot-specific security product is Symantec's Norton AntiBot (more info). This $30 program claims to monitor, detect, and remove bots before they can cause harm. Norton AntiBot uses behavioral analysis rather than definitions for specific bots and received an Editor's Choice award from PC Magazine in 2007.

Security sites such as Marshal continue to report spam-bot activity. The buggers are delivering junk mail, malware, and other odious data to millions of victims. By using the above bot-prevention tools and techniques, you'll reduce the chances that your machine's a spammer's helper.

Permalink • Print • Comment

XP deadline extended toward launch of Windows 7

Dennis O'Reilly By Dennis O'Reilly

Microsoft has acknowledged that it will allow system builders to pay for installed copies of XP through May 30, rather than shutting down the pipeline this month.

If you order from your preferred vendor by Jan. 31, you may be able to rely on XP for new systems almost right up until the long-awaited Windows 7 ships, an event that's expected cialis instructions to occur within a few months.

Vista is looking more and more like the Edsel of the computer industry. Presumably as a result of slow uptake by corporations and individual users, Microsoft last month confirmed that it will allow OEMs and smaller-scale "system builders" to pay as late as May 30, 2009, for copies of XP ordered by Jan. 31. (Vendors won't have to pay Microsoft until the systems sell. MS previously had been expecting payments for copies of XP by Jan. 31.)

The details of Microsoft's new, flexible inventory program were first reported on the ChannelWeb site.

Combine this news with reports that Windows 7 may ship as early as mid-2009, and it looks like Microsoft is ready to relegate Vista to the binary scrapheap. Maybe the company's recent $300 million marketing push for Vista wasn't so successful as Microsoft claims it was.

As Mary Jo Foley states in her All About Microsoft blog, vendors of low-budget PCs such as netbooks were already being allowed to sell new systems based on XP through June 30, 2010, or one year after Windows 7 ships — whichever came first. Microsoft's new policy now gives a reprieve to builders of mainstream computers, and to end users who want to buy systems running Windows XP, not Vista, indefinitely or until Windows 7 is a proven commodity.

Will the Windows 7 RTM make an early entrance?

The official release of Beta 1 of Windows 7 to the public is widely expected to occur next week. If all goes well with the remaining testing, indications are that the final, RTM (released to manufacturing) version will be available as early as August. Lending support to this theory is the fact that the end-user license agreement of Beta 1, like all recent prerelease versions of Windows 7, states that the software will expire Aug. 1, 2009.

This feature — as well as the use of the product's built-in slmgr -rearm command to extend the beta's trial period without an activation key — was recently explained by Marius Oiaga of Softpedia. Other sources predict that Windows 7 won't ship to OEMs until October 2009, becoming available to end users the following month.

Early reviews of the Windows 7 beta, such as those summarized by the Telegraph of London, variously describe the new operating system as being not much different from Vista or representing an unspectacular-but-solid improvement. If Windows 7 turns out to have better performance and reliability than Vista, as some reviewers believe, the OS may gain a measure of relieved acceptance from end users after only a few months on the market.

Paying a premium to downgrade from Vista to XP

The extended availability of XP on new PCs will gladden the hearts of many Windows users. For a few unfortunates, however, the XP option is coming at great cost.

Eric Krangel reports on the Silicon Alley Insider blog that Dell has gradually been inflating its surcharge for "downgrading" a PC from Vista to XP. The bite rose last June from U.S. $20 to $50, then spiked in October to $100, and now is a whopping $150.

The fact that Dell's customers appear to be willing to pay this amount or more to avoid Vista may be the greatest indictment of Microsoft's unloved OS.

The reality is that the Redmond software giant has been forced by popular opinion to provide customers with a Vista-free option — an extended life for XP — more than two years after Vista's rollout. Depending on your point of view, this concession can be interpreted negatively as an act of desperation or more positively as a burst of marketing acumen on the company's part.

As usual, the truth is likely somewhere in between.

Permalink • Print • Comment
Next Page »
Made with WordPress and an easy to customize WordPress theme • Sky Gold skin by Denis de Bernardy