Can a virus on a flash drive run itself without autorun?

windows-7 security autorun
19,161

Solution 1

Short answer

No, a file on a drive cannot just run itself. Like all viruses, it needs some sort of initialization. A file does not magically initiate for no reason at all; something has to cause it to load in some way. (Unfortunately the number of ways is bafflingly large and continues to grow.)

Overview

How a virus runs depends largely on the type of file that the virus is in. For example, .exe files usually require something to actually load their code (simply reading their contents is not enough). Picture or audio files are not supposed to be code at all, so they should not be “running” in the first place.

Technical

What often happens these days, is that there are two main methods that malware runs:

  1. Trojans
  2. Exploits

Trojans: With trojans, malware code is inserted into normal files. For example a game or program will have some bad code injected into so that when you (purposely) run the program, the bad code sneaks in (hence the name trojan). This requires placing the code in an executable. Again, this requires the host program to be specifically run somehow.

Exploits: With exploits, what happens is that a file contains incorrect/invalid structures that exploit poor programming. For example, a graphics-viewer program that does not check the picture file may be exploited by crafting a picture file with system code in such a way that when it is read, it overloads the buffer created for the image and tricks the system into passing control to the virus code that was inserted past the buffer (buffer overflows are still fairly popular). This method does not require a file with malware code to be specifically run; it exploits the bad programming and error checking to trick the system into “running” it simply by opening/reading the file.

Application

So how does this apply to a flash (or any other type of) drive? If the drive contains trojans (executable files), then unless the system has AutoPlay enabled or has some sort of autorun/startup entry pointing to the file, then no, it should not run on its own. On the other hand, if there are files that exploit vulnerabilities in the operating system or other program, then simply reading/viewing the file could allow the malware to initiate.

Prevention

A good way to check for vectors by which trojans can run is to check for different kinds of autorun/startup locations. Autoruns is an easy way to check many of them (it’s even easier if you hide the Windows entries to reduce the clutter). A good way to reduce the number of vulnerabilities that exploits can use is to keep your operating system and program up-to-date with the latest versions and patches.

Solution 2

This depends on how the virus is written, and what vulnerabilities exist on the system that you plug the drive into, but the answer is potentially yes.

For example not long ago there was vulnerability inherited way that Windows handled .lnk files that meant that just having a maliciously created file on your drive could execute the virus embedded within it. This vulnerability was also fixed quite some time ago so no up to date system should be at risk but it does show that there are potential attack vectors that are "silent" and can happen, as your friend suggests, without your consent or awareness.

Keep your antiviral running and up to date and only connect devices from people you trust.

You can see information on this particular attack method on this Microsoft page.

Solution 3

No.

The virus can't run itself in any case. Something else needs to run it.

So now the question is: Can it be run when plugged in? The answer is "no" in the ideal case, but "possibly" in the case of a defect in Explorer (or some other Windows component). However, such a behavior would be a bug in Windows, not by design.

Solution 4

Yes, a virus can propagate simply by inserting a USB device (including a flash drive).

This is because there is code (called firmware) on the USB device that must run for the device to be detected. This firmware can do things like imitate a keyboard (and thus run a program), imitate a network card, etc.

Look into "BadUSB" for more information.

Solution 5

On a clean system, I would say that a virus can't run itself. But I think that a program could be written that could be running all the time, just waiting for a drive to be inserted, then look for a certain file and run it, if available. This is pretty unlikely, as the program would need to be installed to run all the time, but it does seem to be within the realm of possible but not very likely.

Share:
19,161

Related videos on Youtube

undone
Author by

undone

Updated on September 18, 2022

Comments

  • undone
    undone almost 2 years

    Someone told me that it's possible for a virus to run itself from Flash memories even if autorun.inf is not present or this feature is disabled using gpedit.msc. He said a virus can run itself as soon as I plug in a flash memory. Is it correct?

  • user541686
    user541686 over 12 years
    You need another \subsubsection and a couple other subsubsubsections, this is nowhere near enough. :P
  • user
    user over 12 years
    Exploits also generally only work (properly) with a single viewer application, and sometimes even just with a single version. For example, if a bug causes MS Word to be exploitable in a certain way, OpenOffice is likely to remain unaffected (or to be affected in a very different way if the bug is triggered). Exploiting features-by-design (executable code in PDFs, ActiveX on web pages viewed using MSIE, etc) is of course a different beast.
  • user
    user over 12 years
    Bugs in software are very often used as exploit vectors by self-propagating viruses. (I dare say no programmer deliberately puts bugs in production software.) Some security holes can stem from features that are by design, such as the long-lasting security problems with ActiveX.
  • Bigbio2002
    Bigbio2002 over 12 years
    This is how Stuxnet infected computers. By merely viewing the icon of the infected file, that triggered a vulnerability and started execution of the code.
  • Scott Chamberlain
    Scott Chamberlain almost 11 years
    One thing to refrence for a example of exploit viruses is how Stuxnet exploited a bug in the way windows handled .lnk (shortcut) files. So just viewing the directory in windows explorer triggered the virus infection.
  • Synetech
    Synetech almost 11 years
    Exploits also generally only work (properly) with a single viewer application, and sometimes even just with a single version. Thankfully yes, though bugs can go undetected/unfixed for a while and thus an vulnerability can be exploited for many versions. ` So just viewing the directory in windows explorer triggered the virus infection.` Yes, that’s exactly the sort of vulnerability that exploits, well, exploit. You don’t have to actually run a file to get infected anymore because simply accessing it (which even viewing a directory listing does) can potentially infect you. ◔̯◔

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

What is the danger of inserting and browsing an untrusted USB drive?
How do I encrypt a dual boot system?
Can see samba shares but not access them
How to remove the pen drive shortcut virus>
How to turn off all secure protection of Windows 7?
Windows 7 keep computer from idling
Windows Task Scheduler can't write to folder even when run as Admin
How to go about temporarily disabling McAfee Internet Security?
What's the best way to copy data without leaving a trace?
Lost admin access to my computer due to corrupt user account (win7)