The Space Station PC Virus and What it Means to You

[+Vinny & Sue Team]

Well, the news media has been all atwitter for the past 24 hours about the fact that one or more NASA-owned PCs -- some of the reports seem to claim that it ALL of the laptops on the Space Station have been affected -- aboard the International Space Station have been found to be infected with a "virus". Actually, it seems that while the infection was caused by malware, the specific type of malware was what is commonly called a worm; the specific worm was [iW32.TGammima.AG[/i], often called Gammima for short. It appears that the worm infected the affected Windows XP laptop PCs because it was propagated by use of USB flash drives, often called dangles, and because the factory-set DEFAULT setting in Windows XP is to Autorun, aka Autoplay, any exe files or other executables that Windows notices on any removable media, particularly on USB flash drives.

 

Obviously, based on the above and on the ever-increasing incidence of such flash drive-propagated (and CD-ROM/DVD propagated worms in the Windows XP environment, it would be prudent for ANY PC user to disable AutoRun/AutoPlay for ALL drives on their PCs, particularly for removable media such as dangles and CD-ROM/DVD drives.

 

By now you may be wondering: "Well great, I guess I kinda needed to know that, as a PC user, and particularly if I run Windows on my PC, but why is Vinny raising this issue in a geocaching forum? How does this affect me in particular as a geocacher? Am I somehow particularly at risk?"

 

And the answer is as follows:

Starting about two years ago, we began to notice a fad in some areas, where it became quite trendy to leave USB flash drives or CD-ROM in caches, and sometimes these media were intended to contain "freebies" such as "free" music, photos or software for other cachers, and in some cases, there was even talk (on various geo forums, at least) of using such removable media as a logbook or to store photos of finders, etc. At the time, there were several forum threads on the Groundspeak forum and local forum where folks were excitedly twittering and chirping about the myriad possibilities of the "exciting" act of leaving dangles or CD-ROMs in caches. On at least one of these forum threads (one at the Groundspeak forums) I posted briefly to the thread a note saying that I was extremely concerned about such an idea, because of the very great and very real possibility that such promiscuous interchange/exchange of removable media -- particularly dangles -- could easily allow the spread of various viruses, worms and other malware. At the time, most of the folks on the thread in question pooh-poohed my caveats, blithely assuring themselves and other forum members that there was no such threat, and citing all sorts of imaginary reasons to explain why they, and their PCs, were immune to such problems, and amazingly, if I recall correctly, the final consensus reached among most thread members was that the practice of leaving dangles and CD-ROM media in caches was quite benign and harmless.

 

Well, folks, as we are seeing with the recent worm infestation on the Windows XP laptops on the International Space Station, it is actually very easy to spread malware, particularly worms, via removable media.

 

I would suggest that if you ever exchange removable media promiscuously in ANY environment, particularly in a geocaching environment, that you will wish to disable AutoRun/Autoplay feature in Windows, and the easiest way to tell you how to get started doing that is to refer you to an excellent article on CNET by computer consultant Michael Horowitz, entitled Be Safer than NASA and Disable Autorun/Autoplay, and his excellent earlier companion article, also at CNET, entitled USB Flash Drives Need a Condom, which will walk you, step-by-step through the procedures necessary to disable Autrun/Autoplay on Windows 2000, Windows XP and Windows Vista. These are excellent articles, and I recommend them highly!

 

Footnote: Oh, and yes, I am just as amazed as you at the fact that Microsoft Windows comes with the factory-set default of ENABLING autorun/autoplay, and this malware-friendly mindset on the part of Microsoft, of course, is one of many reasons why many anti-malware experts and PC security gurus say that Windows is insanely malware-friendly!

 

.

Edited August 28, 2008 by Vinny & Sue Team

[+TheAlabamaRambler]

... I would suggest that if you ever exchange removable media promiscuously in ANY environment, particularly in a geocaching environment, that you will wish to disable AutoRun/Autoplay feature in Windows...

Excellent suggestion for all Windoze users, thanks. Just for clarity it's 'dongle' not 'dangle'... an easy Freudian slip to make after reading 'USB Flash Drives Need a Condom'

[+Vinny & Sue Team]

... I would suggest that if you ever exchange removable media promiscuously in ANY environment, particularly in a geocaching environment, that you will wish to disable AutoRun/Autoplay feature in Windows...

Excellent suggestion for all Windoze users, thanks. Just for clarity it's 'dongle' not 'dangle'... an easy Freudian slip to make after reading 'USB Flash Drives Need a Condom'

Ed, I agree with you to the extent that "dongle" is one term also used to denote USB flash sticks, but the reality is that in many parts of the world and in much of the US as well, the usage of the term "dangle" or "USB dangle" to denote a USB flash drive stick has always been very popular. If you are tempted to disbelieve my assertion, then I invite you to do a Google search on the term "USB dangle", and you will find that many major manufacturers and major resellers of those infernal little things refer to them "officially" as "USB dangles", although it is true that the term is somewhat lesser-used than the term "USB dongle"; a quick web search indicates about a 1:9 ratio in favor of the usage of the term "dongle", but there are over a quarter-million websites which use the term "USB dangle".

[+trainlove]

and because the factory-set DEFAULT setting in Windows XP is to Autorun, aka Autoplay, any exe files or other eexcutables that Windows notices on any removable media, particularly on USB flash drives.

 

Well I think you actually mean that any executable mentioned in an autoplay ini/batch file will be executed, not ALL Executables on the Flash Drive or CD. Don't know about you, but I have flash drives with hundreds of programs on then and none of them get run automatically.

[+Vinny & Sue Team]

and because the factory-set DEFAULT setting in Windows XP is to Autorun, aka Autoplay, any exe files or other eexcutables that Windows notices on any removable media, particularly on USB flash drives.

 

Well I think you actually mean that any executable mentioned in an autoplay ini/batch file will be executed, not ALL Executables on the Flash Drive or CD. Don't know about you, but I have flash drives with hundreds of programs on then and none of them get run automatically.

Yes, entirely true; I was using verbal shorthand (and I have noticed that Horowitz, in his articles, used the same shorthand) for the sake of brevity, and also wanted to keep it simplified for the sake of non-techies!

Edited August 29, 2008 by Vinny & Sue Team

[+Holy Wrong Terrain Rating]

I would just like to say that I appreciated your information. I had never thought about this before and I will be shutting off my autorun when I get home.

 

Thanks,

A of thea&wteam

[+Adventure.AS]

Obviously, based on the above and on the ever-increasing incidence of such flash drive-propagated (and CD-ROM/DVD propagated worms in the Windows XP environment, it would be prudent for ANY PC user to disable AutoRun/AutoPlay for ALL drives on their PCs, particularly for removable media such as dangles and CD-ROM/DVD drives.

 

My understanding is that the removable media must be present in order to change the setting. Is there some way in Control Panel to change the default?

[+OzzieSan]

http://autorun.moonvalley.com/enable.htm

 

How To Enable Autorun for Other Removable Media

Autorun can be enabled or disabled for all Removable media types, such as a floppy or Zip disk. Windows systems are configured to enable CD Notification, other removable media are by default disabled.

 

The System Properties User interface only exposes the CD Enable or Disable selection. The setting reflected in this dialog makes an entry in the System Registry. It is in this same location that other media types are configured.

 

Notes:

 

Modifiying the Registry is not for the inexperienced user. Anyone will tell you, be VERY careful.

The modifications made in this case use Hex not Decimal numbers. If you are unfamiliar with the Registry or the characteristics of base numbering and Hex, studying these topics prior to making these modifications is advisable.

To Modify these Registry Settings, Use Regedit and navigate to the following Key:

 

HKEY_CURRENT_USER

Software

Microsoft

Windows

CurrentVersion

Policies

Explorer

"NoDriveTypeAutoRun"

 

The default value for the setting is 95 0 0 0. Change the first byte to 91. Restart the computer to make the new setting take effect. You may have to right-click on the floppy and choose AutoPlay from the menu to see the AutoPlay behavior.

 

Mine is set to 91 (no drives autorun)

 

Oooops wrong computer...

Edited August 28, 2008 by OzzieSan

[+Vinny & Sue Team]

Obviously, based on the above and on the ever-increasing incidence of such flash drive-propagated (and CD-ROM/DVD propagated worms in the Windows XP environment, it would be prudent for ANY PC user to disable AutoRun/AutoPlay for ALL drives on their PCs, particularly for removable media such as dangles and CD-ROM/DVD drives.

 

My understanding is that the removable media must be present in order to change the setting. Is there some way in Control Panel to change the default?

To my best knowledge, the method which I used -- and I used the method outlined for use with Windows XP Home by Horowitz in his excellent article, which involved downloading, unzipping and running Tweakui -- and the method outlined by Horowitz for Windows XP Professional, to disable (or enable) Autorun for any drive types/categories which I chose (checked or unchecked), and that the effect of my choice is permanent, until and unless changed.

[+The Jester]

You can also hold down the shift key while inserting the media to temporarily stop auto run.

[+Viajero Perdido]

Beware of USB keys you find in your employee parking lot. These have been used for industrial espionage - and also for benign penetration testing.

 

Employee picks up USB key, takes it inside, plugs it into their work computer, a concealed program automatically runs and bingo - it takes over employee's computer. More likely, it stealthily searches the computer and network for interesting stuff, then sends it somewhere. All this while the employee is looking at the drive's contents thinking, huh, nothing interesting here.

 

Nasty but true.

 

Oh, and even some digital picture frames have come from the factory with pre-installed malware, believe it or not. Same story: autorun.

Edited August 29, 2008 by Viajero Perdido

[+Vinny & Sue Team]

Obviously, based on the above and on the ever-increasing incidence of such flash drive-propagated (and CD-ROM/DVD propagated worms in the Windows XP environment, it would be prudent for ANY PC user to disable AutoRun/AutoPlay for ALL drives on their PCs, particularly for removable media such as dangles and CD-ROM/DVD drives.

 

My understanding is that the removable media must be present in order to change the setting. Is there some way in Control Panel to change the default?

To my best knowledge, the method which I used -- and I used the method outlined for use with Windows XP Home by Horowitz in his excellent article, which involved downloading, unzipping and running Tweakui -- and the method outlined by Horowitz for Windows XP Professional, to disable (or enable) Autorun for any drive types/categories which I chose (checked or unchecked), and that the effect of my choice is permanent, until and unless changed.

For an update to my reply above, I can report that I have double-checked the TweakUI tool from Microsoft, and it does indeed allow one to disable (or enable once again) Autorun/Autoplay for entire categories or types of drives; the version which I have here presents me with two checkboxed lines, one for CD-ROM and DVD, etc. drives, and one for "removable media" (such as USB memory sticks). And, from re-visiting Horowitz's article, I can report with some confidence that the methods which he shares for Win XP Prof and for Windows Vista also allow disabling Autorun-Autoplay by category/type of drive.

[+NYPaddleCacher]

 

Oh, and even some digital picture frames have come from the factory with pre-installed malware, believe it or not. Same story: autorun.

 

I posted something about this awhile back. I heard a story about it on NPR. Apparently the digital picture frames with the pre-installed malware was sending information gathered off the PC to an email address in China (where they were made). The units in question were purchased at a well known big box electronics store.

 

I was in Zambia for a week on business last year along with about 50 others at a working conference. Because the wireless internet connectivity at the place we were staying as sporadic and the work we were doing required a lot of file sharing, many were using USB drives to share files. By the end of the week there were a handful of laptops that were hosed pretty badly with rootkits. Ironically, the conference was funded by a grant from the Gates foundation. Oh, and I did find time to grab one cache while I was there at Victoria Falls.