Panda USB and AutoRun Vaccine
UPDATE October 8, 2009: New version 1.0.1.4 released.
The Microsoft Windows Operating Systems use the AUTORUN.INF file from removable drives in order to know which actions to perform when a new external storage device, such as a USB drive or CD/DVD, is inserted into the PC. The AUTORUN.INF file is a configuration file that is normally located in the root directory of removable media and contains, among other things, a reference to the icon that will be shown associated to the removable drive or volume, a description of its content and also the possibility to define a program which should be executed automatically when the unit is mounted.
The problem is that this feature, widely critizised by the security community, is used by malware in order to spread by infecting as soon as a new drive is inserted in a computer. The malware achieves this by copying a malicious executable in the drive and modifying the AUTORUN.INF file so that Windows opens the malicious file silently as soon as the drive is mounted. The most recent examples of this are the W32/Sality, W32/Virutas and also the W32/Conficker worm which, in addition to spreading via a vulnerability and network shares, also spreads via USB drives.
Due to the large amount of malware-related problems associated with Microsoft AutoRun we have created a free utility for our user community called Panda USB Vaccine.
Computer Vaccination
The free Panda USB Vaccine allows users to vaccinate their PCs in order to disable AutoRun completely so that no program from any USB/CD/DVD drive (regardless of whether they have been previously vaccinated or not) can auto-execute. This is a really helpful feature as there is no user friendly and easy way of completely disabling AutoRun on a Windows PC.
USB Vaccination
The free Panda USB Vaccine can be used on individual USB drives to disable its AUTORUN.INF file in order to prevent malware infections from spreading automatically. When applied on a USB drive, the vaccine permanently blocks an innocuous AUTORUN.INF file, preventing it from being read, created, deleted or modified. Once applied it effectivelly disables Windows from automatically executing any malicious file that might be stored in that particular USB drive. The drive can otherwise be used normally and files (even malware) copied to/from it, but they will be prevented from opening automatically. Panda USB Vaccine currently only works on FAT & FAT32 USB drives. Also keep in mind that USB drives that have been vaccinated cannot be reversed except with a format.
Download
Panda USB Vaccine is a 100% free utility. We’ve tested it under Windows 2000 SP4, Windows XP SP1-SP3, and Windows Vista SP0 and SP1. Feedback is always welcomed. Click on the download button below to start downloading.
Command line Operation
For advanced users who wish to run Panda USB Vaccine automatically at boot to notify every time a new USB device is mounted on the system or to perform network-wide computer vaccinations via login scripts or other distribution methods, Panda USB Vaccine can be operated via command-line. Its input parameters are the following:
USBVaccine.exe [ A|B|C|Z ] [ +system|-system ] [ /resident [/hidetray] ]
[drive unit]: Vaccinate drive unit
+system: Computer vaccination
-system: Remove computer vaccination
/resident: Start program hidden and prompt for vaccinating every new drive
/hidetray: Hides tray icon when used with the /resident command
Examples:
To vaccinate USB drives F:\ and G:\, use
USBVaccine.exe F G
To vaccinate the computer, use
USBVaccine.exe +system
To vaccinate computer and prompt for vaccinating every new drive without showing a tray icon, use
USBVaccine.exe /resident /hidetray +system
It could be very useful to create a Shortcut in the Startup folder to USBVaccine.exe with this last command line (or without the /hidetray) to make sure that every time you boot the computer USBVaccine gets loaded by the system and it vaccinates the computer and prompts the user for vaccinating any new non-vaccinated USB drive. However if you do this under Vista, UAC will block it from running at Startup as it requires admin priviledges. We’ll fix this in future versions.
Buenos däias tengo un pendrive formateado en NTFS y el usb vacune no le puede vacunar. ¿solucion?
very good tools thanks To panda !
Version 1.0.0.50
unable to execute file : schtasks.exe
create process failed ; code 2
How to remove vaccination from usb with NTFS formatted ???
@Peter, can you try the following:
1- open a command-line window
2- type “schtasks” and then hit enter
Do you get an error? Which one?
How about a portable version in addition to the installer. The installer is nice, but I like to keep a portable version also. Thanks for the utility.
Also, it says to read the help before you enable NTFS support, this help would be where?
I try to to install command mode with /agreelicense] option for avoid the agreement dialog, but not work. It still present. Who can give me solution.
Thanks.
@redsec, try using /agreelicense along with either /silent or /verysilent parameter.
For example:
USBVaccine /silent /agreelicense /resident /experimentalntfs
After vaccinating my USB drive, I find that I cannont UNvaccinated it (as I can my Computer).
Why is there no option to REMOVE VACCINE from a USB drive (as there is for the Computer)?
Thanks,
CurlySue
@ pedro bustamante
thanks a lot for your solution
I use
USBVaccine /silent /agreelicense /resident /autovaccinate /hidetray /agreelicense
but I no seen USBVaccine process running.
@CurlySue, there’s no way to un-vaccinate from within Windows other than to backup your files and format the USB drive.
@Redsec, you can use the same parameters but without /hidetray and then you’ll be able to see it running.
[autorun]
open=driver\usb\–¼‡‘Š•†‘ÀŒŽ
action=Open
shell\open=Open
shell\open\command=driver\usb\–¼‡‘Š•†‘ÀŒŽ
Usb_Driver installed
i have this
what should i do ??
is that virus ?
Panda Tec
Tried Vaccination on my SONY ICD-SX57 Digital Voice Recorder Stick using Beta version 1.0.0.18 but it only came up Vaccination was not possible
Today I have formatted my SONY ICD-SX57 Digital Voice Recorder Stick and tried New version 1.0.0.50 released and when I plug the Digital Voice Recorder Stick into the USB the window stays the same INSERT USB KEY, version 1.0.0.50 does not recognize Recorder Stick, Beta version 1.0.0.18 at least did but Vaccination was not possible
Need help why
Mitchell
So what’s the real secret behind the un/detele/modifi/access/able autorun.inf file?
Is good and is helpful thanks
@munky, download Panda USB Vaccine, vaccinate your computer & vaccinate each of your USB sticks. Then, one by one, insert your USB sticks and scan them with your AV or even better with http://www.activescan.com.
@Mitchell, we'll try to get one of those and study the problem.
@Tim Burton, cannot say, don't wanna give clues to the bad guys
Thanks Pedro
Look forward to response, also have a Sony ICDU70 Digital Voice stick and had no problems vaccinating it! Just haven’t been able to on my SONY ICD-SX57 Digital Voice Stick
Thanks again
It is incorrectly installed in W2k.
Does not work with the rights of the user.
@pedro bustamante
but still the same
I mean any process of USBvaccine is not running, no vaccinate any drive.
I look for its on windows task manager, whether with /hidetray or not are the same.
Thanks
I’m glad because this latest version 1.0.0.50 always vaccinate and never prompts, and still comes with the portable version. I have some suggestions: This program could delete the remaining AUTORUN_.INF file and could delete the folder RECYCLE inside the pen (or heal RECYCLE and make it unwritable by the virus too, it could be with hidden property). Also, I think if there would be a easy way (icon?) to distinguish this healed autorun.inf from infected autorun.inf to prevent people to make some mistake.
Also, I noticed that in the installed version, a folder AUTORUN_.INF is always created, even the pendrive is empty (reformatted).
Also I would like to suggest to add an option in the command line:
USBVaccine.exe F G /resident F G
The last F and G drive letters could be the drives that you like to use the /resident parameter.
It could prevent some errors in the newer version. When I opened usbvaccine 1.1.0.50 in one of my computer I got a error dialog box because the program is searching for drive A: (but I only use pendrive as drive F: and next letters). In older version 1.10.0.19 it doesn’t happens, but I always need to click OK to exit or to shutdown the computer. =(
I’ve inserted an infected USB and that tool automatically “vaccineted” it by doing it’s trick with the _existing_ infected binary autorun.inf.
That makes it hard to fix it (I have to backup data and reformat).
Please make your tool smarter!
Well, I don’t know how effective this will prove in the long run, but I have to give you credit for this simple and effective approach. The culprit behind almost all viruses is the annoying autorun feature of windows. So far, I’ve been doing all data transfer in linux for the same reasons. But hopefully, I can do that in windows as well!
Thanks for a great product!
Great Utility. Makes sense, since I wasn’t able to find setting for disabling “Autorun for drives” under Vista (it was in WinXP) and the USB Firewall 1.1.3 is buggy and the USB Disk Security tool is not free and it runs every 10 seconds at about 10% of processing power. Panda runs quiet and very lite on resources. Very nicely programmed.
Just to let everybody like me know.. If you try to vaccinate a large USB flash drive and start the process and you look and wonder, nothing is happening.. Panda window is “not responding”… just wait… For me it was a slow process, it took approx 15 minutes to vaccinate the drive. (and it is a very fast USB flash disk by all means).
how revert the vacination pen drive?
only format the device???
Is there a way to keep vaccination even running other o.s. and after come back to Windows?
Bom dia,
Gostaria de saber por que está aparecendo a seguinte mensagem quando vou vacinar o hd do meu pc.
segue a mensagem:
Vaccination was not possible. Only FAT volumes are supportaded right now
pois ele está no formato NTFS.
tem algum limita para vacinar? pois, meu hd é de 160GB mas so reconhece 148GB.
Obs:vacinei dois hds NTFS e só esse da essa mensagem e tambem 4 pendrives fat32 e nao deu nenhum problema.
Aguardo resposta
Hello New User
Install Panda Antivirus 2010 and forget every things about Virus , Scam and other Malware … i think the one of best software is in this time
Thank alot Panda
Keep it up
Regards
Faisal Ali Khan from pakistan
wolf arts:
A capacidade de disco total nunca e totalemnte utilizada para armazenamento de informação. Parte é reservada para o sistema… por esse motivo é normal o disco parecer ter menos capacidade…
A nova versao beta da vacina já permite a vacina do disco formatado em NTFS.
Prestm atenção ao Mxone. O ikill não é compatível com a vacinação das pen's mas é compatível com a vacinação dos computadores e com programas que tornem as pen's protegidas contra escrita. Atenção que a protecção contra escria pode dar muitas dores de cabeça aos donos das pen's…
(I've written in Portuguese because it is one of the most spoken language in the world…)
@hugh:
http://en.wikipedia.org/wiki/File:Native_speakers_in_the_World.jpg
Pretty cool post. I just stumbled upon your blog and wanted to say
that I have really liked reading your blog posts. Anyway
I’ll be subscribing to your blog and I hope you post again soon!
I ACTIVATED THIS
BUT NW NO USB DEVICES ARE DETECTED BY MY SYSTEM WT IS IT ICANT EVEN OPEN ANY DEVICES
Has the suggestions posted by Satellite at 27 May 09 being implemented?
opps …. not by Satellite but by mihi
It appears from the above that I cannot reverse the “vaccination” of a USB drive with an autorun.inf file. I tried to re-start the vaccination program, but it stalls & never starts up (Not Responding is a s far as it goes). How do I remove this **** from my computer. As far as I can tell you have destroyed one of my backup drives.
Kewl tool!
Thanks!
In the past I’ve just created folder called autorun.inf and that worked for most of the usb virus but not all. This seems to work well.
For those of you who install this & vaccinate your USB drives.. then complain about not being able to remove the protected autorun.inf file —
Why have you not read the comments? I mean there have been several posts all asking same thing. Always the same answer by Panda.
Cannot be edited from within windows & the only solution is to back up data & format the USB device.
Other removal solutions have included using either a linux computer to remove the autorun.inf or bootable linux cd to remove it.
No wonder people get infected so often … running/installing stuff without reading up what the program does. Same for “breaking” things..
Someone says “this is kewl — run it” so people click it without thinking or doing a bit of research first.
Geeezzz …
READ the info provided by the Panda team about the tool before blindly running it.
REad it, absorb it, understand it, then decide if it is useful to your situation.
The info is there.
New version still encounter Windows XP shut down problem (XP SP2 & SP3). Any idea how to solve this? Thanks~!
Great work, keep it up~!
thanks to panda team for such a excellent product for usb virus
@Jon, the problem you mention only occured under Vista, not XP. Are you sure its caused by Panda USB Vaccine? If you can, please troubleshoot and send me details to pedro.bustamante@pandasecurity.com.
My BIG thank to PandaSecurity Team!!!
This is truely the answer to my prayer all along. Been looking on how to disable those nuisance message from my AntiVirus. It deleted the virus but the autorun thingy from USB keep running the registry.
With USBVaccine, problem no more! no more autorun… TQ TQ TQ to ya all..bless U…
This is a very good product for usb.it protect all usb ports by preventing malware from other peripheral devices.we can proudly plug our usb devices when panda vaccination is on
It’s good to take preventive actions
really
thanks
Unsure whether C drive vaccinated. Check mark appears at illustration, but only horizontal bar entry is D drive and I believe that cannot be changed. Please be so kind as to reply.Thank you.
@Robert, are you talking about “Computer Vaccination” or “USB Drive Vaccination”?
If “D” is your USB drive, insert it, open Panda USB Vaccine and then when “D” appears at the bottom of the screen, click “Vaccinate”.
HEY
i installed this one
and now no usb drives are working
the safe removal icon appears in the task bar
but the drive is not detected or its not appear in the ‘my computer’ folder
even the usb mouse is not working
what shud i do to revert this???????????????
reply me
thank’s panda, you save my usb
Congratulations for great idea!
USBVacine is an excellent tool against the plagues.
Brazil
Good day, I vacinated my computer and the usb drive. I found out that the usb is working fine. How come when I put dvd on my player, it would still auto run? hoping for answers…ty.
Great tool. Thanks a lot!