Avast Blog
November 3rd, 2010
Jan Širmer

Quote:

A normal part of using a computer is seeing the “Removable Device Inserted” announcement when plugging in a memory stick. This is AutoRun, a really useful tool built into Microsoft operating systems. In addition to helping people pick the application for opening the new files, it is also a very common way of spreading malware. Did you know that AutoRun is a way for spreading around about two-thirds of current malware? There are many ways how to make AutoRun functional but, unfortunately, less ways how to recognize what does it do. Like the code below: AutoRun Here is a little bit of malicious AutoRun code. During a one-week period in October, we had 700,000 computers in our CommunityIQ system send us data on actual malware attacks. Out of this total number, 13.5% were from a USB device. That is more than one out of every eight attempted infections – a number that really surprised me as I did the research. Our detection code for this malware is “INF:AutoRun-gen2 [Wrm]”. This malware is a worm that starts an executable file which then invites a wide array of malware into the computer. The incoming malware copies itself into the core of the Windows OS and can replicate itself each time the computer is started. Out of the total “INF:AutoRun-gen2 [Wrm]” attacks, 84% of the attempts were repelled by the on-access scans in the avast! System Shield. The malware was detected at the time when the USB device was initially connected. The remaining 16% were discovered during scans of the computer hard-drives. Here is our detection in the Virus Total results. Virus Total results The makers of AutoRun are continually developing new and new ways how to obfuscate their work, and I think they enjoy it. I have found the sentence “e23 w4 ar3 t43 pr1nc35 0f 39yp6” in some code. That’s basically means “We are the princes of crypt(ography)” in the leetspeak. Another time, I found “;w3 4r3 81tch35, y0u c4nt st0p us!!” , which essentially translates as “We are bitches, you can’t stop us.” I thought about it, why they are doing it? Because they know that they are in the lead.

My Opinion
Why.....

the helll ....

Doesn't Microsoft disable the "autorun" file altogether?

I could have sworn that "threat" was dealt with, its ancient!

I have disabled autorun on both my PC and laptop.


- If you're using XP, you can follow these steps and get it deactived forever:

1. Click Start and then click Run.
2. Type gpedit.msc and click OK.
3. The Group Policy window will open. In the left pane, double-click Administrative Templates.
4. In the right pane, double-click System.
5. Scroll down the list and double-click Turn Off Autoplay.
6. In the Turn Off Autoplay Properties window select Enabled.
7. From the dropdown next to Turn Off , select All drives and then click OK.
8. Exit Group Policy by selecting File, then choosing Exit from the menu.


- If you're using Vista, just check this link: http://www.howtogeek.com/howto/windows-vista/disable-autoplay-in-windows-vista/