Content

W32/Autorun.worm.dn

Type
Virus
SubType
Worm
Discovery Date
08/07/2008
Length
Varies
Minimum DAT
5340 (07/16/2008)
Updated DAT
5340 (07/16/2008)
Minimum Engine
5.1.00
Description Added
08/07/2008
Description Modified
08/07/2008 12:26 AM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

Autorun worms when executed can drop files into the %system% folder. The worm can also drop a copy of itself along with an AutoRun.inf configuration file in all removable devices, the root of all fixed drives and the system folders.

"Autorun.inf" is a text based configuration file which instructs the Windows operating system to perform some action upon opening a network shared drive, local folder, floppy drive, CD-ROM drive or the insertion of a removable disk drive.
This configuration file is usually intended as a convenience feature, however is often misused by malware authors to create malware that spread automatically without any user interaction.

Note:

  • %System% is a variable that refers to the System folder.
    By default, this is C:\Windows\System32 for Windows XP

The worm can also create a startup entry which will enable the worm’s execution at system startup. An example of such an entry would be:

  • HKEY_Local_Machine\Software\Microsoft\Windows\CurrentVersion\Run
    Data: Worm Executable
    Value: C:\Windows\system32\worm.exe

Miscellaneous Information:

Users who would like to prevent worms which execute without any user interaction using an “AutoRun.inf” file, can disable the Windows AutoRun feature completely with the help of the Windows group policy editor (Gpedit.msc).

ScreenShot below:

Symptoms

Presence of an autorun.inf file on the root of removable and fixed drives, similar to the one below:

Method of Infection

This worm spreads by copying itself to network shares and to removable devices, along with an “Autorun.inf”.

Infection starts either with manual execution of the infected file or by simply navigating to the folders containing the infected files, whereby the “Autorun.inf” file could cause automatic execution of the worm.

Removal

A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

This description is for a worm that is capable of spreading through removable devices and network shares.

The characteristics of this worm in regards to file names, folders created etc. will differ from one version to another. Hence, this is a general description.

Characteristics

Characteristics -

Autorun worms when executed can drop files into the %system% folder. The worm can also drop a copy of itself along with an AutoRun.inf configuration file in all removable devices, the root of all fixed drives and the system folders.

"Autorun.inf" is a text based configuration file which instructs the Windows operating system to perform some action upon opening a network shared drive, local folder, floppy drive, CD-ROM drive or the insertion of a removable disk drive.
This configuration file is usually intended as a convenience feature, however is often misused by malware authors to create malware that spread automatically without any user interaction.

Note:

  • %System% is a variable that refers to the System folder.
    By default, this is C:\Windows\System32 for Windows XP

The worm can also create a startup entry which will enable the worm’s execution at system startup. An example of such an entry would be:

  • HKEY_Local_Machine\Software\Microsoft\Windows\CurrentVersion\Run
    Data: Worm Executable
    Value: C:\Windows\system32\worm.exe

Miscellaneous Information:

Users who would like to prevent worms which execute without any user interaction using an “AutoRun.inf” file, can disable the Windows AutoRun feature completely with the help of the Windows group policy editor (Gpedit.msc).

ScreenShot below:

Symptoms

Symptoms -

Presence of an autorun.inf file on the root of removable and fixed drives, similar to the one below:

Method of Infection

Method of Infection -

This worm spreads by copying itself to network shares and to removable devices, along with an “Autorun.inf”.

Infection starts either with manual execution of the infected file or by simply navigating to the folders containing the infected files, whereby the “Autorun.inf” file could cause automatic execution of the worm.

Removal -

Removal -

A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A