Autorun.inf Structure

Thursday, May 28, 2009

Autorun.inf Structure

The autorun.inf file is a simple text file that can be opened up in any text editor (e.g. notepad). It always starts with a section header of:

[autorun]

Below this header is a list of different options. Each of these options is in the following format:

option=value

where

option is the option that you want to set and value is the value that you are setting for that option. So, if you had an option foo and you wanted to be set to bar, then you would enter:

foo=bar

(Do not use foo=bar in your autorun.inf file as it is only an example, not a real option setting.) That is all there really is to understand about the structure of an autorun.inf file. On to doing some actual cool stuff with it!


To create a custom icon for your USB drive, use the icon option. Set it to the name of the icon file.

Note: Since drive letters can change for USB drives, the file path is relative to the root of the drive. This means that if your USB drive is presently mounted on U: and your icon is located at U:\Icons\MyIcon.ico, then you would enter \Icons\MyIcon.ico for the value of this option.

For example, if you had an icon on the root of the USB drive called coffeecup.ico and you wanted this to be the icon that showed up for the USB drive, you would enter:

icon=coffeecup.ico

You are not limited to .ico files. If, for example, you have an executable with a nice icon, you can specify it as the icon file. For example:

icon=DCoTopen.exe

This is valid as long as DCoTopen.exe is available on the root of the USB drive.

Some files have more than one icon embedded in them. If this is the case, you can select which icon to use by specifing the index number after the file name. For example:

icon=iconlib.dll,2

This will use the second icon in the iconlib.dll file.


Naming Your USB Drive

If you would like your USB drive to display a specific name othr than the drive label created when it is formatted, use the label option. For example, if I wanted to call my drive DCoT Drive, I would add this to my autorun.inf file:

label=DCoT Drive

Now, when you look at your USB drive in My Computer, it will say DCoT Drive by the drive letter.

Setting AutoPlay Options

AutoPlay is a relatively new function of Windows XP. It allows you to set up what file is run when the USB drive is plugged into the computer and the message that you are prompted with. There are two options that work in conjunction with AutoPlay. The first is open. It specifies the program that you can run automatically with AutoPlay. So, if we wanted to run a program called DCoTopen.exe, you would add the this to your autorun.inf file:

open=DCoTopen.exe

The second option that we add is the message the user is prompted with. To set this, we use the action option. If we want the message to say DCoT Open Program, add the following to autorun.inf:

action=DCoT Open Program


Adding Context Menu Items

There are certain basic options such as Open and Explore that are available when you right click on a USB drive. But, wouldn’t it be cool to add your own? You can using a couple of lines in the autorun.inf file.

The first thing that we need to do is create an action, give it a name, and a message. We do all of this using the shell\verb option. For example, let’s say that we would like to create an action called lost. It does not matter what the actin is called. It can be anything you want. We would also like to show the message Help! I’m Lost! in the context menu. We would simply add this line to autorun.inf:

shell\lost=Help! I'm Lost!

This will display Help! I’m Lost! in the context menu so that you can click on it. But, it doesn’t know what to do when you click on it. Tell the system by using shell\verb\command option. In our example, we want to run the Lost.exe application. Adding this line will do the trick:

shell\lost\command=Lost.exe

You can add as many of these line pairs as you want to make the context menu as custom as you want.

Changing Default Action

When you double click on your USB drive, by default it will open up the drive so that you can browse through the files. Often, it is advantageous to perform some other action when the user double clicks the USB drive icon. You do this with the shell option. If we wanted to run the Lost.exe program from the previous section automatically when we double clicked on the USB drive, we would add this line:

shell=lost

because lost is the name of the action that was specified in the earlier lines.

Viewing a File

If you wanted to view a file on your USB drive in the default application instead of running a program on the drive, you can substitute the open option for the shellexecute option. For example, if you wanted to open up a website called, oh, I don’t know, say http://www.xxxxxxxxxxx.com in the default web browser, you could user the following:

shellexecute=http://www.xxxxxxxxxxx.com

This will work for any file. This is the equivalent of using Start - Run… and then typing in a file name and clicking OK.





How to remove autorun.inf from USB Drive

Worms spreads by creating a copy of itself and starts by autorun.inf files. It is essential to remove the malicious and autorun.inf files not only from computers but also from the source, and that is the USB Drive. PreciseSecurity have created a procedure to delete the malicious files on infected drives.

PROCEDURE:
1. While the computer is still off;
2. Plugin the USB Drive
3. Insert the Windows XP CD-ROM into the CD-ROM drive. It must be the bootable Windows XP Installer
4. Start the computer from the CD-ROM drive. It will start Windows Setup screen
5. When the “Welcome to Setup” prompt appears.Press “R” to start the Recovery Console
6. If asked “Which Window installation would you like to logon to” select the number. Type “1? then Enter, if only one installation of Windows is present
7. Enter the administrator password, press Enter
8. It will bring you to command prompt, C:\Windows>
9. Proceed with the following command:
- Type d: (This is the drive letter of USB. It can be e: or f: defending on how many hard disk or cd drive is installed)
- Type attrib -h -r -s autorun.inf
- Type “edit autorun.inf” it will open DOS Editor and display contents as follows
==========================
[autorun]
open=file.exe
shell\Open\Command=file.exe
shell\open\Default=1
shell\Explore\Command=file.exe
shell\Autoplay\command=file.exe
==========================
Take note on the file that it called to open (in above example it is file.exe)

10. Exit DOS Editor and return to command prompt, D:\>
11. Delete the file that was called to open on DOS Editor
- Type del /f /a file.exe

12. Delete autorun.inf file
- Type del /f /a autorun.inf

13. Exit Recovery Console by typing exit.


1 comment

Post a Comment