(IJCSIS) International Journal of Computer Science and Information Security,Vol. 10, No. 1, January 2012
According to Szor, P., AutoPlay is the featurebuilt into Windows that automatically runs aprogram specified by the file AutoRun.inf whenever a CD-ROM, DVD or USB drive isplugged into a Windows-based computer .Moreover, Tahir, R., Hamid, Z., Tahir, H.,noted that “Flash drive infections usuallyinvolve malware that loads an AutoRun.inf file into the root folder of all drives (internal,external, and removable) which automaticallyruns a malicious .exe file on the computer .When an infected USB flash drive is inserted,the Trojan infects the system.” The Autorunsection supports an open command that canbe used to run executable files. This is thecommand that malicious codes exploit to beinvoked automatically. A simple Autorun.inf file is:
According to Microsoft Developer Network and Axelson, J. , Windows sends all top-levelwindows a set of default WM_DEVICECHANGE messages whennew devices or media (such as a CD or FlashDrive) are added and become available. When theuser inserts a new CD, DVD, or Flash drive,applications receivea WM_DEVICECHANGE message witha DBT_DEVICEARRIVAL event.DBT_DEVICEARRIVAL is sent after a device orpiece of media has been inserted. Applicationsreceive this message when the device is ready foruse as kind of notification. Each notificationcontains a device path name that the applicationcan use to identify the device that the notificationapplies to.IV.
METHODOLOGYThe main advantage of this work is that theremoved operation will be applied in the backgroundwithout user interaction. When a USB flash driveconnects to the computer, WMDCT will discover itautomatically and remove the malicious files from it.As mention previously, when a USB device connectsto a computer, the Windows system sends theWM_DEVICECHANGE message to applications.WMDCT starts with listening to this message. As soonas WMDCT receives WM_DEVICECHANGEmessage, the scan operation on the connected device isperformed. If WMDCT detect any AutoRun.inf file inthe connected USB flash drive, WMDCT will changethe permission of it to normal and removed it. Also,depending on settings that the user are selected fromthe WMDCT interface, all the EXE files or the EXEfiles with hidden attribute will be removed. Anotherfeature which WMDCT introduced is that using multi-threading technique to improve the performance of theWMDCT. Sometimes more than one USB flash driveconnects to the computer at the same time whichcauses an overlap. This problem has been solved byusing multi-threading technique by create a separatedthread for each new USB flash drive which connectsto the computer. The following flowchartdemonstrates the algorithm which is implemented byWMDCT program to protect Windows systems fromviruses that execute using AutoRun property.Figure 1: WMDCT algorithmV.
DISCUSSIONC# language with .NET 4.0 platform was used todevelop WMDCT program. WMDCT program wastested in the University of Mosul/ Computer Science