Overview
This is a generic detection for a configuration text file (autorun.inf) used by the W32/Conficker.worm. This file is usually dropped onto the root of all removable drivers and mapped drives in an attempt to autorun an executable when the drive is accesed.
|
Minimum DAT
5488 (2009-01-07) Updated DAT6147 (2010-10-25) |
Minimum Engine
5.2.00 File LengthN/A |
Description Added
2009-01-07 Description Modified2009-01-28 |
Malware Proliferation
Characteristics
This is a generic detection for a configuration text file (autorun.inf) used by the W32/Conficker.worm. This file is usually dropped onto the root of all removable drivers and mapped drives in an attempt to autorun an executable when the drive is accesed.
The size for this file varies.
Some copies of this file has the System (S) and Hidden (H) attributes present in attempt to hide the file from certain, default, viewing options within Windows Explorer.
The contents of the file are similar to the following:
....Garbage......
shelLExECUte=RuNdLl32.EXE .\RECYCLER\S-x-x-xx-2819952290-8240758988-879315005-xxxx\jwgkvsq.vmx,ahaezedrn
.....Garbage....
Upon Autorun being initiated the file is executed and infection occurs, because this infection is instigated locally the worm does not need to exploit ms08-067, so having applied the patch will not stop the infection.
Symptoms
Method of Infection
Infection starts either with manual execution of the binary or by navigating to folders containing an Autorun.inf whereby the autorun.inf files can cause auto-execution.
Removal
All Users:
Use current engine and DAT files for detection and removal.
Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).
Variants