Solved

A Question About Folders!

Posted on 2011-09-24
17
658 Views
Last Modified: 2012-05-12
Hi experts!
If you're looking for a new challenge read this!
It's just about creating folders!

I have a flash memory security software that creates a non-deletable folder called autorun.inf in removable storages!
This autorun.inf folder prevents viruses to write their own inf file to the disk! A nice idea!
But how it works is important:
Inside the autorun.inf folder exists a directory called"immunity." and can not be modified in anyway.
When I want to enter it I see the below error message. (See the attached file)
It seems to be some kind of shortcut! (but not a regular one)
I want to know how to create such a folder!

What's your opinion about this?
I appreciate any guess or comment about this!

You can find more info on this link.
In the comments I've answered some questions and clarified more.

P.S. I wrote this question because of suggestion of Moderators. I hope not to be considered as "Double Questioning"!
immunity-properties.JPG
folder-unavailable.JPG
0
Comment
Question by:Arman Khodabande
  • 6
  • 5
  • 3
  • +2
17 Comments
 
LVL 20

Expert Comment

by:Radhakrishnan Rajayyan
ID: 36592730
Autorun.inf is generally is a virus generated file, If your flash drive getting autorun.inf file then it is indicates that your flash drive is infected with virus. Better option is format the drive or if you have any important file or folder on this that will not work until the infection get removed. Follow the below procedure in case if heps you to resolve the issue.

Also, Sorry i am not able to find from anything from your screen shot since it just showing 1 folders properties and the error message while accessing it , unfortunately it will not help us to identify your exact issue.

1. open up a command prompt (i.e. cmd.exe) >> to load it go to Run, type cmd, enter.
2. Now to remove virus's attributes (in order to delete it type following line by line and execute them pressing enter.
e.g.
F:\
F:\attrib -s -r -h *.* If there are any malicious EXE files those are now visible so if unnecessary delete them too.
F:\del autorun.inf

Please let me know your thoughts.
3. After finishing above, quickly remove the pen as soon as posible (just after executing del command).
4. Now your pen is without virus activation config. file. Now you can safely delete unnecessary EXE files on it.
0
 
LVL 43

Assisted Solution

by:Steve Knight
Steve Knight earned 300 total points
ID: 36592801
I think you missed the point there radhadkrishnan....

I don't know off hand how to but will have a go myself and listening for othere peopls comments.

Even if windows doesnt allow something it doesnt mean that a program cant be written rto bypass certain routines and go lower to the os, or indeed use a different os that doesnt have the restriction.

It may also be possible to do something like create a zip file of such a file already created and then unzip it into the right place.

So mainly listening here....

Steve
0
 
LVL 23

Assisted Solution

by:DanCh99
DanCh99 earned 100 total points
ID: 36593379
Iirc, under recent service packs, windows doesn't even look at the autorun files, as the were abused so much. So, I think your security software is addressing a vulnerability that no longer exists.

In terms of the specific Q, why do you  want to create an undeletable folder?
0
 
LVL 22

Expert Comment

by:senad
ID: 36593710
You can simply disable autorun function on removable drives
http://autorun.moonvalley.com/enable.htm
Also,most antivirus software prevent their execution.
Also autorun.inf is not a virus but a tool to trigger already existing virus.
Mind you, that file can also be very usefull. So it is up to you.
If you are affraid of the negative possibilities then just disable
the entire function. No big deal ....
0
 
LVL 22

Assisted Solution

by:senad
senad earned 100 total points
ID: 36593712
0
 
LVL 10

Author Comment

by:Arman Khodabande
ID: 36594590
Thanks for response, But you all answered irrelevant.

@radhadkrishnan
I said that "autorun.inf" is name of a folder. It's a folder to prevent the Bad INF files from being written to the drive.
I know all about the precautions and viruses.
We're not dealing with viruses here. !
It's a folder not an INF file.
@Dragon-It
I can Rar the folder. I thought about it!
But after extraction of that RAR Archive the "immunity." or "zhengbo." folder becomes accessible and loses its original characteristics!
So there's no point in sending such a file.

@Danch99
In all service packs of windows XP autorun.inf files are welcomed and will be executed! So we have to disable the autorun manually.
I myself use Windows XP SP3.
Only windows 7 and vista do not accept autorun.
And about your question I should say that: Human always wants to know what he doesn't know.! It's in our nature!
I want to know the trick behind this. It's too bad for experts if they can't handle such a simple trick with folders. . .

@senad
Your answer was completely irrelevant. Please read the question carefully. It isn't an "INF" file but it's a folder.
But thanks for your reference.

Thanks to all. I'm waiting for your new responses.

autorun.inf-folder-all.JPG
0
 
LVL 22

Expert Comment

by:senad
ID: 36595278
if I am not mistaken,you wrote :
"This autorun.inf folder prevents viruses to write their own inf file to the disk! "
autorun.inf resides on root drive and not in folder.
so your 'folder' is useless as these files get written to root drive.
if you place autorun in a folder it will not work.
I really do not know what your autorun folder is all about.
What's its function ? Certainly not in preventing autorun.inf from triggering viruses from spreading.
But if you believe that ....its ok.You're entitled to think whatever you want.


0
 
LVL 43

Assisted Solution

by:Steve Knight
Steve Knight earned 300 total points
ID: 36595363
bimey why is it so difficult to understand... If you create a folder called autorun.inf then you cant have a file of the same name... The creating of the undeletable file within that then stops someone deleting the folder.

You can of course make a file with characters such as alt 255 which look like space or make it hidden / system / read only or for ntfs remove all permissions but I assume these folders are created with some characters that cant be handled by the OS normally?

All of those might be hidden to explorer or dir command by default or fool a casual del command but explorer can soon delete if options tweaked or use wildcard and/or del /a in cmd prompt.

Have you tried reading the files dir entry with vbscript, vba in office etc if you dont have any other languages available or the like and seeing if any odd chars in there...

All in all is quite difficult to try and reverse engineer something you cant see.
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 10

Accepted Solution

by:
Arman Khodabande earned 0 total points
ID: 36595772
@ Senad
Please read dragon-it's comment

@ Dragon-it
Thank you dragon-it !
Finally someone could understand the situation!
The alt+255 trick doesn't prevent the folder from being removed but creating such a folder inside it prevents!
And FYI I've created a nondeletable folder myself, which imitates that autorun.inf of that software!
The trick I used to do this was :
1) Creating an Autorun.inf folder on the drive.
2) Create one of those prohibited folders on windows which represent low level system devices ! (con, prn, nul) (Did you know this? you can not create this folders in windows normally!)
3) You're done ! This folder can not be deleted or modified!

But I want to know the trick behind this immunity. or zhengbo. folder ?! I always look for challenges like this!

And as you see the name of that folder ends with a dot. If you try this you understand that you can't add the dot to the end of a folder name!
I think the trick lies here . . . I found it today !
When you add that autorun folder to a Rar archive and then extract it you see that the immunity folder has become accessible! If you pay attention more you'll understand that winrar has removed the dot from the end of the folder name! winrar is a smart software!

The only thing that should be revealed is : "how can we add dot to the end of folder name?"
0
 
LVL 10

Author Closing Comment

by:Arman Khodabande
ID: 36890334
Hooray !
I found out how to create a folder starting with a Dot!
I knew the solution for years but never tried it! It can be created via Dos commands. (MD command)

But I couldn't create a folder ending with a dot.
So I searched again and tried hard! I found out that there is a file manager called "Ztree" it's capable of renaming folders to add Dots to the end of names!

And I read somewhere that you can use win api to creat such a folder!
So that security software have used the second way.
Thank you all.
Good luck
0
 
LVL 43

Expert Comment

by:Steve Knight
ID: 36596082
I can easily create files and dirs with . at the beginning easily enough in cmd.exe prompt or any language such as VB, VBA, VBScript.  Can create files ending in dot BUT they are seen as files with no extension.  What you want is to create it with the filename part with a dot in I think... then anything that tries to access it will split it at the . for extension I guess and break... this is assuming file / extension are stored seperately.

Everything I have tried will translate the . on the end into nothing but a non extension file.
0
 
LVL 10

Author Comment

by:Arman Khodabande
ID: 36601131
Do you know a way to create them for windows script host (vbs files)? Because I'm not familiar with VB itself!

files with no extension are not needed! We need a folder with a dot at it end.

If you want to see a dot at the end of a folder name, download Ztree and rename a folder with 2 dots after it's name.!
0
 
LVL 43

Expert Comment

by:Steve Knight
ID: 36602313
dot at the start is easy... dot at the end every way I know if is treated as a file/folder with no extension rather than a dot in the name.  If I find a way will post.

Steve
0
 
LVL 10

Author Comment

by:Arman Khodabande
ID: 36707791
Thanks Steve
0
 
LVL 43

Expert Comment

by:Steve Knight
ID: 36890501
No problem, at least I knew what yiou meant!

If you find a good way of creating them perhaps you could post it here for all of us.
0
 
LVL 23

Expert Comment

by:DanCh99
ID: 36892634
OK, I can understand some technical curiosity about how to create an undeletable folder, and that's an interesting discussion point.  I still say that security software that uses this as a defence against malware has missed the point.

Here's the article about how MS disabled AutoRun
http://technet.microsoft.com/en-us/security/advisory/967940

and some criticism of their method....
http://blogs.computerworld.com/the_best_way_to_disable_autorun_to_be_protected_from_infected_usb_flash_drives

0
 
LVL 10

Author Comment

by:Arman Khodabande
ID: 36892974
They didn't miss the point, because that security software (Zbshareware USB Disk Security) has removed this feature in it's releases since 2010.
Now I understand why . . .
I always asked myself why did they removed this feature from their software . . .
However I doubt that. Because when I installed my Windows xp (SP3) it ran the Autorun on USB drives (As far as I remember). I disabled it manually.
Maybe you want to prevent viruses from writing their autorun.inf to your flash (If you connect your USB drive to an infected PC). Microsoft has disabled the autorun. But what if you double click on your drive by mistake?!!!!!
It will absolutely execute the virus, because it's the default option for double clicking!

I'm still looking for a way to make a folder using Windows Script host commands. (I just want to know. I've already created a super folder with com folder)
As far as I know WSH accepts VB commands and many more languages like java.

Thanks for reference
Kpax7
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

Migration of Exchange mailbox can be done with the ExProfre.exe tool. But at times, when the ExProfre.exe tool migrates the Exchange Server user profile, it results in numerous synchronization problems. Synchronization error messages appear in the e…
If your system is showing symptoms of browser hijacks or 'google search redirects' check out my other article (http://rdsrc.us/u3GP7A) first and run the tool TDSSKiller (http://rdsrc.us/GDBBs4) to get rid of the infection. Once done, and if the …
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now