Back in October, there was a great kerfluffle regarding an out-of-band Microsoft patch. Most geek types refer to it as the "MS08-067" patch, but what you need to know is this: it's a very important patch for a very serious vulnerability in every flavor of the Windows operating system.

Here's the good news: If you get your updates via Automatic Updates and follow instructions regarding installing and rebooting, you are patched. One of the ways the worm (named "Confi(c)ker" or "Downadup") spreads is by scanning the network and looking for vulnerable machines. If you're patched, you aren't vulnerable to this method of infection.

Here's the bad news: This worm also spreads via infected USB thumb drives and network shares--your computer can get infected even if you've installed the MS08-067 patch! So what's a security savvy user to do?

1. Never, ever, ever plug untrusted USB thumb drives, CD-ROMs, DVDs, external hard drives, picture frames, or other removable media into your computer. This includes your friends' thumb drives, that USB stick you found in the parking lot, maybe even that freebie you got at a trade show.
2. Disable autorun. Autorun is a Windows technology that allows content to run automatically when a drive (like a CD-ROM or USB thumb drive) is mounted. Malware authors know this and will intentionally place malware on drives that will run automatically when the drive is connected to your computer. Disabling autorun can help to prevent this.
3. Disable File and Print Sharing if you don't need it.
4. Enable Automatic Updates
5. Keep your antivirus software up to date. Sophos is available free to KU students, faculty, and staff. Just FYI, Sophos does detect the Conficker worm.

So now you're thinking "but they never explained how to disable Autorun." Here's why: it requires monkeying about in the Windows registry, which is a task that should never be undertaken lightly. We want you to keep your computer secure, but we don't want you to wind up in the repair shop! That said, here's how to disable Autorun:

PERFORM THE FOLLOWING STEPS AT YOUR OWN RISK. If you are using a KU-owned computer, STOP NOW and consult your Technical Liaison before you continue!

1. Right click on the Desktop and select New-->Text Document
2. Open the document
3. Copy and paste the following text
   

   REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf]
@="@SYS:DoesNotExist"

4. Click on File-->Save As... and save the file with a name such as disableautorun.reg

Alternately, we have created a reg file you may wish to use. Right-click here and select "Save File As..." (or Save Target As...) and save the file to your Desktop. Double-click the file. You should see the following message:

Click "Yes." The next message should read:

Once you've done this, Windows will no longer automatically run content it finds on your removable devices, which can help protect you against malware that infects these devices. Here's one gotcha, however: Windows does remember (aka "cache") devices you've used before and will still autorun content on them. If you want to make sure that doesn't happen, you'll need to open the Registry Editor (Start-->Run-->type regedit) and drill down to the following registry key:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2

Right-click on the MountPoints2 folder and select "Export." We're going to save this key just in case. Once you've exported the key, right-click on the MountPoints2 folder and click "Delete." This forces Windows to "forget" all of the autorun information for the drives you've used before.

For someone who isn't used to digging around in the Windows registry, this looks pretty gnarly. If you're not sure what you're doing, recruit a Windows-savvy friend to help. It's worth the work--most malware experts are predicting that Conficker could infect between 300-500 million PCs worldwide. What's more, it appears to have a second payload that hasn't been activated yet. There is speculation that it may be extortionware or scareware, but nobody really knows.

Related reading:
CERT Vulnerability Analysis Blog: The Dangers of Autorun
Networkworld: FAQ: How to protect your PC against the Downadup worm