If you're like most people, you have a USB stick or two that you carry around from place to place. You probably use it for backing up files, bringing papers to the lab to print, transporting data to use with a study group, or a million other uses. If you're a Windows user, you're also probably used to the fact that when you plug your USB stick in, it just pops open and you can immediately start using your files. Neat, right?

The bad news about the Autorun/Autoplay feature (we'll call it Autorun from here on out) is that malware can use that feature to install itself on your computer before you know what hit you. Let's have a look at the contents of an infected USB stick:

See that file named "autorun.inf?" The Windows operating system put that file there, and the presence of that file is not in itself an indication that a USB stick is infected. If we open the file in a text editor, however, the plot thickens:

See where those red arrows are pointing? Those lines in the autorun.inf file cause Windows to automatically execute the file located in the BOOTEX folder named "thumbcache_131.exe." That file is malicious and will, if executed successfully, install the W32/AutoRun-AQO worm on the victim system.

Here's the good news: this doesn't have to happen! If you disable Autorun, you prevent the above named scenario from executing! Here's how you do it:

PERFORM THE FOLLOWING STEPS AT YOUR OWN RISK. If you are using a KU-owned computer, STOP NOW and consult your Technical Liaison before you continue!

1. Right click on the Desktop and select New-->Text Document
2. Open the document
3. Copy and paste the following text
   

   REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf]
@="@SYS:DoesNotExist"

4. Click on File-->Save As... and save the file with a name such as disableautorun.reg

Alternately, we have created a reg file you may wish to use. Right-click here and select "Save File As..." (or Save Target As...) and save the file to your Desktop. Double-click the file. You should see the following message:

Click "Yes." The next message should read:

Once you've done this, Windows will no longer automatically run content it finds on your removable devices, which can help protect you against malware that infects these devices. Here's one gotcha, however: Windows does remember (aka "cache") devices you've used before and will still autorun content on them. If you want to make sure that doesn't happen, you'll need to open the Registry Editor (Start-->Run-->type regedit) and drill down to the following registry key:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2

Right-click on the MountPoints2 folder and select "Export." We're going to save this key just in case. Once you've exported the key, right-click on the MountPoints2 folder and click "Delete." This forces Windows to "forget" all of the autorun information for the drives you've used before.

For someone who isn't used to digging around in the Windows registry, this looks pretty gnarly. If you're not sure what you're doing, recruit a Windows-savvy friend to help.

Feeling particularly geeky? You can read up on the structure of the autorun.inf file, its capabilities, and its drawbacks at http://www.autoruntools.com/autorun-inf.php.