Advertisement
opexxx

Using PowerShell to Protect Against Conficker (Enabling and

May 3rd, 2014
271
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 2.41 KB | None | 0 0
  1. Using PowerShell to Protect Against Conficker (Enabling and Disabling AutoRun.inf)
  2.  
  3. PowerShell Team 17 Jan 2009 3:07 PM 3
  4. On the front page of MSN.com today, there’s details about a new worm, Conficker, that spreads using the good old fashioned autorun.inf tricks. It infects USB drives so that, when you plug the drive into another computer, it automatically runs and infects the machine. The article mentioned a post on Nick Brown’s blog that instructs you on various ways to disable autorun.inf files and gives a .REG file for disabling autorun.inf.
  5.  
  6. Here’s the .REG file:
  7.  
  8. REGEDIT4
  9. [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf]
  10. @="@SYS:DoesNotExist"
  11. Recently, I’ve started to like taking small registry hacks and turning them into functions, so here’s a pair of functions that I wrote to automate this registry setting with PowerShell.
  12.  
  13. function Disable-AutoRun
  14. {
  15. $item = Get-Item `
  16. "REGISTRY::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\IniFileMapping\AutoRun.inf" `
  17. -ErrorAction SilentlyContinue
  18. if (-not $item) {
  19. $item = New-Item "REGISTRY::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\IniFileMapping\AutoRun.inf"
  20. }
  21. Set-ItemProperty $item.PSPath "(default)" "@SYS:DoesNotExist"
  22. }
  23. Here's Nick's explanation of how it works:
  24.  
  25. This hack tells Windows to treat AUTORUN.INF as if it were a configuration file from a pre-Windows 95 application. IniFileMapping is a key which tells Windows how to handle the .INI files which those applications typically used to store their configuration data (before the registry existed). In this case it says "whenever you have to handle a file called AUTORUN.INF, don't use the values from the file. You'll find alternative values at HKEY_LOCAL_MACHINE\SOFTWARE\DoesNotExist." And since that key, er, does not exist, it's as if AUTORUN.INF is completely empty, and so nothing autoruns, and nothing is added to the Explorer double-click action. Result: worms cannot get in - unless you start double-clicking executables to see what they do, in which case, you deserve to have your PC infected.
  26.  
  27. In case you want to enable autorun again, you can use this function:
  28.  
  29. function Enable-AutoRun
  30. {
  31. Remove-Item "REGISTRY::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\IniFileMapping\AutoRun.inf" -Force
  32. }
  33. Hope this Helps,
  34.  
  35. James Brundage [MSFT]
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement