Hi zepete,
I must say that is a very good observation, "sprytny" and that means clever. The fact that worms like Conficker (Downadup) can spread so easily and successfully through network shares comes through a bug in Shell32.dll. Microsoft knows about this bug, and developed a patch for it half a year ago, but thought it was not necessary to implement it for Windows XP, Windows 2003 Server or older as a security patch within the monthly patch cycle (they only did that for Vista through MS08-038, re:
http://www.microsoft.com/technet/security/bulletin/ms08-038.mspxNoDriveTypeAutoRun
The bug is found in how the registry value"NoDriveTypeAutoRun" is being processed (this is a "REG_DWORD" value that standard is found for every user under the keyl HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, and system wide does not exist as by default). The buggy version of Explorer (actually Shell32.dll) only looks for the register value at mounting a drive, when a pendrive is being inserted or mapping a networkdrive for a drive-letter, then it will work as expected. Only if one doubleclicks the drive inside explorer to open it, or give a right mouse-click or choose to "Open" or "Explore", Explorer will no longer check "NoDriveTypeAutoRun" but check the contents of a Autorun.inf file in the root of the drive and evaluate this. Just depending on what the contents is of Autorun.inf it is possible to automatically execute a fie - and bingo!
So, zepete, you have found the real crux of the problem.AutoRunSettings is a free tool:
http://www.uwe-sieber.de/drivetools_e.html#autorun to adopt the registry settings manually,
Import the following into the registry is also a good alternative for XP3 i.m.h.o.:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf]
@="@SYS:DoesNotExist"
If you want to disable completely go here for a tool:
http://nick.brown.free.fr/blog/2007/10/memory-stick-worms.htmlStay safe and secure,
polonus
