6

I work for an IT shop that sees some computers come in with rather nasty viruses. We are working an autorun script that will run a malware killing tool (RKill) when we insert a USB or CD (preferably USB.) We want to run the tool as soon as the USB or CD is inserted without having UAC popup, ideally anyway. Our second choice is to have it open the Autorun options, even on PCs that have been locked down a la FBI virus. We have autorun.inf, a .bat that calls a .exe, and the .exe for the tool we want to run in the root of the USB or CD. We have tried the solution found here, but that didn't work.

The code for autorun.inf and rkill.bat are below.
autorun.inf:

[autorun]
open=rkill.bat    
Where the autorun.bat file reads:
start rkill.exe

rkill.bat:

start rkill.exe

I understand that there may not be a reliable way to do this, but any help would be greatly appreciated.

Community
  • 1
  • 1
AWarnock
  • 69
  • 2
  • 7
  • maybe you could try hacking a virus like recycler and steal it's autorun.* note I would recommend installing Deep FREEZE before trying to hack that virus deep freeze will basically freeze the main system and if damage is done just restart and damage is removed. also,not sure but I don't think autorun can operate with just open... idk – CMS_95 Oct 14 '13 at 02:18
  • That was Plan B if this didn't work out. Everything I've read seems to point to not being able to do this without basically writing a virus. I thought I'd ask here to see if someone had some other idea that might work. Thanks for the suggestion though. – AWarnock Oct 14 '13 at 14:07
  • it appears as though this cannot be done on windows7 but I would say if you where to make a virus that can remove itself once it has completed the operation that might work aside from that from I have found after looking at a few other sites is that if you create a autorun.inf it have to look a little like this < shellexecute=file://path to file.> so basically it looks like a shell script. also it seems like there is some thing called a U3 flash drive that is read by windows as a CDrom this would also work for autorun I think. – CMS_95 Oct 14 '13 at 21:16
  • That was something else I ran across. I Windows may have patched that from some stuff I read, but I'm not sure. I'll look into that. I'll also check the shell script idea, thought that may have been patched as well. – AWarnock Oct 15 '13 at 13:44
  • I will assume you are trying to run this on xp therefore you should probably take a look at this http://msdn.microsoft.com/en-us/library/windows/desktop/cc144200%28v=vs.85%29.aspx – CMS_95 Oct 16 '13 at 00:31
  • We have it working on WinXP. We're trying to get it working on Win7 and Win8. Thanks for the link though. I'll look through it and see if I can't find anything. – AWarnock Oct 16 '13 at 18:20
  • hmm. okay well I am running 7 so I can test a few things and let you know what I find. – CMS_95 Oct 16 '13 at 18:22
  • You don't have to, but thank you anyway. I really do appreciate the help. – AWarnock Oct 17 '13 at 15:24
  • take a look at the group policy editor there may be something there. at the run prompt (window key+R) type in "gpedit.msc" you can enable or disable autoplay there. – CMS_95 Oct 17 '13 at 21:19
  • possible solution at control>hardware and sound>auto-play>>software and games to run/install... should work I think – CMS_95 Nov 18 '13 at 02:18
  • *"run the tool as soon as the USB or CD is inserted without having UAC popup"* - So basically you're asking how to write a worm. – Jonathon Reinhart Dec 24 '13 at 16:29
  • Instead of trying to achieve the same behaviour as a virus uses, and what was tryed hard to block from OS in the past, wouldn't it be much easyier and senceful to boot the PC with a boot USB stick or CDROM and work from a clean system on the infected machines? – peet Dec 03 '13 at 18:16
  • exactly my idea. Not a good idea to work with a (possibly) infected system. Try googling "virus rescue cd" – Stephan Dec 24 '13 at 16:43

3 Answers3

1

use this:

[autorun]
OPEN=rkill.bat
SHELLEXECUTE=rkill.bat
ACTION=run rkill.bat
ICON=rkill.exe,0

works for me! also, I run a pc repair shop also, so, a tip for you: use a boot disk

any of these work wonders:

Windows PE (with custom script)

Comodo Rescue Disc

Petter Friberg
  • 21,252
  • 9
  • 60
  • 109
cascading-style
  • 488
  • 9
  • 23
0

You could customize the autorun popup to include your exe. Don't know why your using a batch file to execute a program.

autorun.inf

[autorun]
ShellExecute=rkill.exe
UseAutoPlay=1

Don't know if this works, not at home atm. But doesn't hurt to try.

-D

Dimitri H
  • 36
  • 1
  • 12
0

Alternate to Dimitri's answer above:

[autorun]
Open=rkill.exe
Icon=(icon file) <- OPTIONAL
sudoBash
  • 31
  • 1
  • 5