Jan Širmer

3 November 2010

Malware running on AutoRun

A normal part of using a computer is seeing the “Removable Device Inserted” announcement when plugging in a memory stick.

This is AutoRun, a really useful tool built into Microsoft operating systems. In addition to helping people pick the application for opening the new files, it is also a very common way of spreading malware. Did you know that AutoRun is a way for spreading around about two-thirds of current malware?

There are many ways how to make AutoRun functional but, unfortunately, less ways how to recognize what does it do. Like the code below:


Here is a little bit of malicious AutoRun code.

During a one-week period in October, we had 700,000 computers in our CommunityIQ system send us data on actual malware attacks. Out of this total number, 13.5% were from a USB device. That is more than one out of every eight attempted infections – a number that really surprised me as I did the research.

Our detection code for this malware is “INF:AutoRun-gen2 [Wrm]”. This malware is a worm that starts an executable file which then invites a wide array of malware into the computer. The incoming malware copies itself into the core of the Windows OS and can replicate itself each time the computer is started.

Out of the total “INF:AutoRun-gen2 [Wrm]” attacks, 84% of the attempts were repelled by the on-access scans in the avast! System Shield. The malware was detected at the time when the USB device was initially connected. The remaining 16% were discovered during scans of the computer hard-drives.

Here is our detection in the Virus Total results.

VirusTotal result

The makers of AutoRun are continually developing new and new ways how to obfuscate their work, and I think they enjoy it. I have found the sentence “e23 w4 ar3 t43 pr1nc35 0f 39yp6” in some code. That’s basically means “We are the princes of Egypt” in the leetspeak. Another time, I found “;w3 4r3 81tch35, y0u c4nt st0p us!!” , which essentially translates as “We are bitches, you can’t stop us.” I thought about it, why they are doing it? Because they know that they are in the lead.

Threat Research, Security News