Various viruses use Windows Autorun feature to spread itself on computers by using infected USB drivers/MMC/SD cards/Removable storage devices and Cameras. This type of viruses make a copy of the autorun.inf file to the root all the drives on your PC, internal and / or external disks.

Known virus variants of this kind are the YahLover (which uses scvhost.exe and killer.exe), Bacalid (which uses ctfmon.exe), IMGKULOT and FAIZAL.JS virus etc.

Preventing or blocking viruses to create or infect Autorun.inf files

Prevention is always better than cure so I have prepared here few important points to prevent this kind of infection.

1. Disable Windows Autorun feature

You can disable Windows Autorun feature, that may help to prevent automatic launch of virus hook scripts when you insert or plug USB devices.

How to enable or disable Autorun (Autoplay) function for specifice devices in Windows

2. Immune your drives, and block to create or infect autorun.inf file

First I want to suggest to format your drives in NTFS file system, that has lots advantages over FAT/FAT32 file system. If you want to covert your existing partition into NTFS file system. Use the following command:

Convert <drive-letter>

Create folder on the root of each drive named Autorun.inf

Now open Command Prompt and execute the following commands to deny access to the Autorun.inf folder.

icacls C:\Autorun.inf /deny <User-Name>:F

Example: icacls C:\Autorun.inf /deny Ramesh:F

icacls C:\Autorun.inf /deny Everyone:F

Repeat this step to other drives by replacing C:\ with other letters

Removing Autorun.inf and disable the virus or harmful script

Here is the procedure to remove such viruses manually, its so easy and DOS commands can do this for you easily.

1. First Boot your system in Safe Mode Command Prompt Only. To do this, just restart your PC and press F8 while booting, it’ll prompt to select booting mode.

2. Execute the following commands to analyze the infection.

cd/

dir /ah

type Autorun.inf

Brief description about commands. 1) It switches command prompt to root of the drive. 2) It displays hidden files in console. 3) It show the content (written in autorun.inf) of Auroun.inf file.

If autorun.inf file exists, see the content and be remember the path of virus executable or script.

3. Execute the following commands to remove autorun.inf file

attrib –h –s –a –r autorun.inf

del autorun.inf

1) unhide the file & 2) delete the file

Repeat this step to other drives by navigating to other drives’ root.

4. Now use msconfig.exe (System Configuration Utility) and jump to Startup tab & uncheck the virus startup entry to disable it. after you can delete it from the actual path, you got in autorun.inf

Happy virus free computing…!

Updated 8/30/2009

Install an update to block Autorun threat(Worm:Win32/Autorun) for Windows Vista and Windows XP. The update restricts AutoRun entries in the AutoPlay dialog to only CD and DVD drives.