It’s so easy. Install your virus or worm on a USB memory stick, set it to run automatically via AutoRun. An obvious security risk, and I’m surprised that Microsoft hasn’t already disabled the feature by default in a security update or service pack for XP or Vista.
The company is finally paying attention:
AutoRun entries on non-optical removable storage devices have been disabled to ensure that you are able to make a considered decision before running software from removable media such as USB drives. Worms sometimes attempt to use AutoRun as a vehicle to install malicious software onto your computer. CDs and DVDs, which are not subject to worm injection after manufacturing, will continue to expose the AutoRun choice to enable you to launch the specified software.
says the press release for Windows 7 RC. Personally I think it should apply the same logic at least to writable CDs and DVDs. I’ve disabled AutoRun on my PCs and don’t miss it. I agree though that USB sticks are the biggest risk today – though a little bit of social engineering will probably persuade many users to run a setup file on a USB stick anyway.