Expletive Deleted

I have this weird habit of collecting computer viruses. Whenever I get one from a spam message, or from p2p, I would keep it in a password protected 7z archive before deleting it (the password is virus). Recently, I notice that most of my new viruses came from public computers at internet cafés. It seems that whenever I plug in my USB flash drive, I'd get one or two malware programs (trojans, worms, adware) with matching autorun.inf files in my root directory. Thankfully, my antivirus was able to prevent these nasties from running when I plug in my USB drive to my home computer or laptop (buy Kaspersky!).

Then one day, I plugged my uninfected USB drive to an office PC (I needed to copy some stuff from accounting), and a few stow-aways came along for the ride. This pissed me off. Since this PC isn't connected to the internet, its antivirus wasn't getting regular updates. I found out that the malware came from an infected co-worker's cellphone whose memory stick got infected from a public terminal. This co-worker was going to copy some of her mp3s to her workstation and unwittingly copied more than she wanted to. I dutifully got some updates from a connected PC, copied it to her desktop, and spent the 30 mins deleting all traces of the infection from the registry and the system folder.

There has to be a better way to keep my PCs safe. Searching through the internet, I found several good tips on how to prevent infections. One is to turn off autorun/autoplay using the Group Policy module in Windows:

1. Click on the Start Button or press the Win button.
   
2. Click the Run command. Type gpedit.msc and press enter.
   
3. If you're using Windows Vista, go to Computer Configuration > Administrative Templates > Windows Components > AutoPlay Policies.
   
4. Look for the entry "Default behavior for AutoRun", double click it and choose Enable. Set the default to "Do not execute any autorun commands."
   
5. Look for the "Turn off Autoplay", and enable it too. Set it to "All drives."
   

In Windows XP, you can follow this procedure (except you'll find the entry by going to Computer Configuration > Administrative Templates > System) for turning off Autoplay but not Autorun. So you might try this neat trick instead (which also works with Windows Vista):

1. Open your favorite text editor (e.g. Notepad).
   
2. Copy+paste this:
   

   REGEDIT4
   [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf]
   @="@SYS:DoesNotExist"

   
   
3. Save the file as noautorun.reg (or any file name, just make sure the extension is .reg).
   
4. Double click the file and choose Yes on the dialog box.
   

According to the guy who came up with this solution:

This hack tells Windows to treat AUTORUN.INF as if it were a configuration file from a pre-Windows 95 application. IniFileMapping is a key which tells Windows how to handle the .INI files which those applications typically used to store their configuration data (before the registry existed). In this case it says "whenever you have to handle a file called AUTORUN.INF, don't use the values from the file. You'll find alternative values at HKEY_LOCAL_MACHINE\SOFTWARE\DoesNotExist." And since that key, er, does not exist, it's as if AUTORUN.INF is completely empty, and so nothing autoruns, and nothing is added to the Explorer double-click action. Result: worms cannot get in - unless you start double-clicking executables to see what they do, in which case, you deserve to have your PC infected.

Now that my PCs are secure, it's time to secure the USB drive. You can't really prevent malware from copying itself to your stick, that's the price when you connect to a compromised system (which seems to be every public computer in the Philippines). The best thing you can do is to stop it from creating an autorun.inf file in your drive. I've tried creating dummy autorun.inf files with the read-only attribute set, but most malware can still delete them. From the link above I got the idea of creating a folder named autorun.inf instead. It seems that malware authors haven't yet thought of countering this simple solution, but I'm sure they'll get around to it. For the time being, this trick still works.

I was able to harvest quite a few malware using my old pendrive. As long as I don't run the nasties, there's no way they can infect my system. Since most internet rental shops here are infected, it's quite likely that a large number of home computers and electronic gadgets with flash memory storage (cellphones, digital cameras, mp3 players) in the Philippines are infected. I can't fix them all, but I hope I can educate some of them of the dangers posed by using flash storage, starting with my co-worker. For her sake, as well as the security of our office PCs, I hope she'll learn her lesson.