Protecting over 200 million PCs, Macs, & Mobiles – more than any other antivirus

November 3rd, 2010

Malware running on AutoRun

A normal part of using a computer is seeing the “Removable Device Inserted” announcement when plugging in a memory stick.

This is AutoRun, a really useful tool built into Microsoft operating systems. In addition to helping people pick the application for opening the new files, it is also a very common way of spreading malware. Did you know that AutoRun is a way for spreading around about two-thirds of current malware?

There are many ways how to make AutoRun functional but, unfortunately, less ways how to recognize what does it do. Like the code below:

AutoRun

AutoRun

Here is a little bit of malicious AutoRun code.

During a one-week period in October, we had 700,000 computers in our CommunityIQ system send us data on actual malware attacks. Out of this total number, 13.5% were from a USB device. That is more than one out of every eight attempted infections – a number that really surprised me as I did the research.

Our detection code for this malware is “INF:AutoRun-gen2 [Wrm]”. This malware is a worm that starts an executable file which then invites a wide array of malware into the computer. The incoming malware copies itself into the core of the Windows OS and can replicate itself each time the computer is started.

Out of the total “INF:AutoRun-gen2 [Wrm]” attacks, 84% of the attempts were repelled by the on-access scans in the avast! System Shield. The malware was detected at the time when the USB device was initially connected.  The remaining 16% were discovered during scans of the computer hard-drives.

Here is our detection in the Virus Total results.

VirusTotal result

Virus Total results

The makers of AutoRun are continually developing new and new ways how to obfuscate their work, and I think they enjoy it. I have found the sentence  “e23 w4 ar3 t43 pr1nc35 0f 39yp6” in some code. That’s basically means “We are the princes of Egypt” in the leetspeak. Another time, I found “;w3 4r3 81tch35, y0u c4nt st0p us!!” , which essentially translates as “We are bitches, you can’t stop us.”  I thought about it, why they are doing it? Because they know that they are in the lead.

Categories: analyses, Virus Lab Tags: ,
  1. November 3rd, 2010 at 17:33 | #1

    Great article. No doubt now a lot of people will be informed about this and will be more concious from now on…

  2. Sua
    November 3rd, 2010 at 17:55 | #2

    May we use Panda USB vaccine to protect ourself from Autorun attack?

  3. CCS
    November 3rd, 2010 at 18:34 | #3

    Sua – can we presume that you have (*cough* *cough*) Panda and Avast installed???

    It’s not the point of this simply to inform people that read these items…but perhaps to help them take action.
    My corporate customers all have their removable media drives’ properties set to either “prompt” or “take no action”.
    Educating them on the importance of scanning ANYTHING brought into the network is essential.

  4. November 3rd, 2010 at 18:37 | #4

    I must say Avast! is at its best when it comes to autorun viruses. It detects many of autorun malwares which many others fail to.

  5. November 3rd, 2010 at 19:00 | #5

    @Sua
    I’ve tried that… It’s great. But you need vaccinate the Autorun before it gets infected. What Panda USB vaccine does is to put a padlock in the file… if you ‘vaccinate’ a infected Autorun, you’ll locking a dangerous autorun file…

  6. November 3rd, 2010 at 19:02 | #6

    @CCS
    That’s really truthful.

  7. Carlos
    November 3rd, 2010 at 22:49 | #7

    Autorun.inf is one of them, it is found on lots of pen drives (usb) and I have observed that it is a very strong media from which viruses are found. I have also observed that public computers in which usb drives are used are strongly infected and their system is almost rotten. A cause here is also the lack of a good and updated antivirus software. Most of the malware blocked by Avast! (which I use) was detected on these usb drives. A good security measure I have taken is to create a folder in this drives named “autorun.inf”. This way autorun .inf files won’t be able to be written. Another measure is to deactivate the execution of autorun files in all removable media.

  8. frozenfire
    November 4th, 2010 at 01:20 | #8

    Classified.exe is shit and i got it from a USB stick….my first OS is windows XP and my AV is Avast4.8 and it failed to remove the virus..Avast 4.8 detect it as threat and avast automatically restarted my pc for boot-scan and after that the virus is still there…after 12Hrs cant boot my pc anymore….so my pc was reformated and i remove symantec and change it to avast 5.0 and Avira Antivir and after inserting again a usb stick and theres the virus again and finally Avast 5.0 and Avira Antivir detect it as classified.exe….

  9. Rob
    November 4th, 2010 at 16:10 | #9

    This is all nice and good, but unless Avast can tell me very soon when an equivalent for ADNM and version 5 for server are going to be released, I will be forced to begin looking for another malware protection solution. We have been promised that it was coming out in the summer, then September, but no news or no date. I have been a long time (greater than 5 years) supporter of Avast and want to stick with them, but my license renewals are coming up at the beginning of the year (and I’m also rolling out new images to my machines at that time). So if I don’t have an answer soon about this, I will be forced to look for a different solution from a different company. Can someone at Avast please give us more information????

  10. J. Lapeer, MICHIGAN
    November 5th, 2010 at 20:11 | #10

    ok so specifically WHICH setting in Avast should be on to have “on-access auto-scans” ?

    it would help to tell us that rather than explaining the internal workings of the virus— I just need to know that i have my avast set right. thanks.

  11. November 5th, 2010 at 21:06 | #11

    @J. Lapeer, MICHIGAN
    “on-access” is Avast! default setting.

  12. waheed
    November 6th, 2010 at 10:00 | #12

    Great Article

    Visit US And Enjoy Lets Rock

    *webpage removed*

  13. November 6th, 2010 at 10:25 | #13

    @waheed
    Thanks for reply but don’t use this blog for advertising

  14. November 7th, 2010 at 18:39 | #14

    CAN SOMEONE WHO HAS A FULL WORKING COMPREHENSION OF THE ENGLISH LANGUAGE RESPOND TO THE FOLLWING SUPORT TICKET NUMBER…I HAVE PAID FOR AVAST INTERNET SECURITY BUT CANNOT GET ANY SUPPORT THAT HAS THIS ABILITY.

    HERE IS THE SUPPORT TICKET NUMBER:

    LOJ-198829

    MAYBE ITS JUST ME BUT WHEN I PAY IN A SPECIFIC CURRENCY AND AM PROMISED PROFESSIONAL SUPPORT, I EXPECT THE SUPPORT TO BE FULLY VERSED IN THE COMPREHENSION OF THE LANGUAGE3 BACKING THAT CURRECY. THIS WAS A POOR DECISION ON ALWIL PART, WHICH WAS NO DOUBT TAKEN FROM MS BOOK OF KEEPING EVERY DIME THEY GET AND I APOLOGISE FOR SOUNDING SO INSULTING. I JUST SPENT 45 MINUTES ON THE PHONE AND YOUR AGENT WANTED TO REMOTE CONNECT TO FIX THE ISSUE…WHICH WOULD NOT FIX THE ISSUE AS SEEN IN THE SUPPORT TICKET.

    ***PLEASE NOTE THE TITLE OF THE SUPORT TICKKET AS YOUR AGENT RICHARD SHRANK KEEPS COMBING MY OTHER ISSUES INTO THIS TICKET***

  15. November 7th, 2010 at 18:41 | #15

    I also apologise for using this blog to try and get the support promised when i paid for Avast 5 Internet Security, but where else can I go other than a CEO, knowing this as a business owner myself.

  16. November 7th, 2010 at 18:43 | #16

    Avast, the product, is the best in existance but the support for a paid version ios fgar from what the product puts out.

  17. Petr Bucek
    November 8th, 2010 at 11:16 | #17

    Hello Jason,

    I am sorry for that. It might happen that two issues were combined to one, because we have problems with people sending us new tickets instead of replying to current ones, however I think that we can solve it even in one ticket.

    As this blog is not designed to solve such issues, we will reply you through our ticketing system (we are investigating your issue at the moment). Again please accept our apologies to combine tickets and I hope that we will clarify it at your earliest convenience.

  18. Jayson Messick
    November 8th, 2010 at 17:39 | #18

    I will pre-emptivly apologise for the moment. First for using your blog to get this attended to. Second for understanding sometimes server issues happen. Please further your investigation as it has happened again and the newer issue is COMPLETLY virus related as my internet is running but WebShield, MailShield, and AntiSpam report they are non-functioning. I will try to repair Avast and clean my PC’s file system.

    Please remove this Mr. Shrank from dealing with any of my support issues as the ones he combined have nothing to do with each other. Again, my apologies for my own lack of professionaism. If I could be allowed back into the forums I would not use that system whatsoever.

    *I am not soliciting anything either, simnply was frustrated over ‘Im right no matter what’ attitude on the forum. Please feel free to delete this comment once you have read it, as it does not belong here.

  19. Jayson Messick
    November 8th, 2010 at 17:44 | #19

    This is a fantastic artilce!!! Iv had this assumption for a couple of years now. Its awesome that a company is realising attacks come from our very own files on exteranl media and trying to deal with it.

    I think motherboard manufacters need top address this as well, as a motherboard will also AUTORUN a USB device…if properly coded, and in todays threats its very likely. I myself am dealing with an infection that I can only refer to as “HRZR_EHANCN” or one of its other variants(HRZR_PGYFRFFVBA) that places itself into a ‘safe’ registry entry. It seems to be from the 180Solutions group…a very nasty sort.

    I look forward to watching Avast expose many other ‘unknown’ causes of virus’, maybe even investigating how safe ANY P2P or torrenting is…in a percentage.

    GO ALWILM AND KEEP DOIN IT RIGHT!!!

  20. Jayson Messick
    November 8th, 2010 at 17:45 | #20

    ..thats ALWIL…

  21. Jayson Messick
    November 9th, 2010 at 01:29 | #21

    …try again…Mr. Shrank simply stated what I am telling him is the problem as though he actually did something. I still cannot register thru support.avast.com and get the confirmation email as requested to my main email. The same email I used in this blog. The same email you delivered my license to. How hard is that really to grasp. Im sure it lokks like I keep posting random issues to the same account, but thats him combinging them. I had to track down why Avast was not starting up with the network by myself because he has the thing so confused

    Thats the issue.

    Can you beleive your support staff cannot understand that all Iv wanted?

    Thanks Alwil for letting me down when the expectations delivered thru your products performance are off the chart.

    PLEASE, PLEASE, PLEASE, SOMEONE WHO IS A PROFESSIONAL CONTACT ME VIA MY REGISTERED PRODUCT EMAIL SO WE CAN RESOLVE THIS IOSSUE AT LEAST.
    I honestly feel like he is purposely trying to irrate me. Not to mention, I also have another issue that is no being ignored as Mr. Shrank simply combines everything that comes in. I tired to do things via phone support but your choice of iYogi is about the same level of support.

    I hope your note paying them per response.

    What is going on out there?

    ***and again I apologise for coming to your blog with this but it seemed almost for a moment it was acheiving results.

  22. Jayson Messick
    November 9th, 2010 at 04:44 | #22

    Here is a copy of my newest issue which I plan on seeing attached to the unrelated ticket # concerning my registration. Explain how and why please. Until I get some REAL support here this is whats going to happen. I paid for your product yet cant get the support promised.
    ———————————-
    When I start my PC, my network is functional with outgoing/incoming internet. However, Avast repeatedly reports that is not fully protecting my system. The following shields are not running:

    Antispam
    Web Shield
    Mail Shield

    I have included screenshots that show I am connected to the Internet yet Avast Shields are offline.

    OFF NOTE: I will be sending a copy of this not only to a blog, but EVE$RY department of Avast, as I feel it will simply be combined into an unrelated issue. Alwil, you have a tech with some kind of personal grudge against me as far as I can see. If you read thru TK# LOJ-198829 you will see that SEVERAL UNRELATED ISSUES have been copmbined into this ticket.

    Alwil, you need to do some in house cleaning.

  23. 1TB
    November 9th, 2010 at 07:41 | #23

    +1 @Rob

    Rob :
    when an equivalent for ADNM and version 5 for server are going to be released

  24. Jayson Messick
    November 9th, 2010 at 17:09 | #24

    When are your techs going to stop combining EVERY SINGLE SEPARATE ISSUE into one conceerning my reistered product email? Are they being told to simply do this so they can frustrate people who paid for this product. As a disabled veteran who has done support before this is uncomprhensible.

    How does my shields not starting equal Registered Product Email not the same as Support Ticket email?
    (which still has not been dealt with and thats just one example)

    I realise that my direct approach to removing 180solutions from the internet may be stepping on toes but this seems personal. As a Marine I cannot support this product any longer.

  25. November 9th, 2010 at 23:11 | #25

    @Jayson Messick
    Hello,
    as Petr Bucek said this blog is not designed to solve such issues. If you have problem with avast write on Avast’s support.
    Next Off Topics will be deleted.
    Regards

  26. J. Lapeer, MICHIGAN
    November 10th, 2010 at 03:29 | #26

    @Jan Širmer
    ok can you tell me what menu /setting to check please?

  27. November 10th, 2010 at 07:47 | #27

    Avast is a brilliant software. I made a excellent choice

  28. November 10th, 2010 at 11:25 | #28

    @J. Lapeer, MICHIGAN
    Hello,
    It’s hardcoded in the program, so it can’t be disabled or checked.

  29. tekkman
    November 11th, 2010 at 07:30 | #29

    Nice job on the great article, I actually noticed this myself when the news about that worm Conficker worm last year, USB’s may be good for carrying things around, but if you have Internet Access then add them to an FTP Server, and done!

  30. November 12th, 2010 at 01:43 | #30

    Autorun infections are not new, conficker was the most notoroius infection that caused havoc and educated us. At least we are conscious what autorun infection can do to our PC. Most of the standard antivirus can scan, detect and delete the infection but better be if the setting is made prompted. Avast 5 home edition is a perfect free solution for home users. With its autoupdate being faster than any other antivirus solution, I like it the most. Very robust and effective but mean on system resources. One can also add an USB antivirus with traditional windows antivirus to PC. But if correct settings are done, you’ll never need any of those USB antivirus. Only one antivirus that will never detect or remove autorun pests is CyberDefender free internet security. Is that a rogue app? Avast, whats your say with that product. Here is the link, http://www.cyberdefender.com/ .The product says as free, downloads zombies, pests, ads all by drive by download mode which avast 5 fully blocks and warns. Years back Avast4.8 was weak but its later edition are much better. Thumbs up for developers and still willing to give away free.

  31. Hanayoshi
    November 15th, 2010 at 15:16 | #31

    How to on-access auto-scans ?

  32. November 15th, 2010 at 15:22 | #32

    @Hanayoshi
    sorry but i don’t know what are you meaning with it.:(

  33. November 22nd, 2010 at 17:44 | #33

    Isn’t it amazing how when something is off kilter, a series of events or circumstances arise that shines a big bright light on the situation?

    link commented

  34. November 28th, 2010 at 17:46 | #34

    link commented

Comments are closed.