Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    September 2015
    S M T W T F S
    « Aug    
  • Email Subscription

  • About Us

    Autorun.inf is prevalently used by worms as an autostart technique. Through this file, the worm is able to automatically execute whenever an infected drive is accessed. Over time, users have been able to think of workarounds to manually remove the malware file while preventing it from executing. Some of these are:

    • Using command prompt to manually delete the file
    • Disabling AutoPlay
    • Using Windows Explorer (right-clicking then choosing Explore)

    Similarly, malware proponents also continue to find new techniques to proliferate their malicious creations despite workarounds that users employ to prevent them from automatically running on their systems. One way by which this is done is through the use of autorun.inf’s Action Key.

    Action Key is one of the parameters in autorun.inf, which is only supported in removable and fixed drives. Its main purpose is to specify the text that appears in the AutoPlay dialog for the handler representing the program specified in the open or shellexecute entry in the media’s autorun.inf file.

    Click for larger view Click for larger view

    In order to bypass workarounds like disabling AutoPlay and using Windows Explorer, the worm utilizes this parameter by declaring a text in the Action Key, which may be any of the following:

    • Open folder to view files
    • Open folder to view files using Windows Explorer

    On example of this is a thumb drive worm detected by Trend Micro as WORM_KOLAB.CQ whose AutoRun code is shown below.

    Click for larger view

    By using the action=Open folder to view files, the malware file is then executed whenever a user tries to open an infected drive via Windows Explorer.

    As cybercriminals continue to find ways to make sure that their malware gets into target systems, it is important for users to also take extra precaution to prevent malware from getting into their systems. External devices such as digital picture frames, iPods and other MP3 players, PDAs, USB sticks, flash drives, and digital cameras can harbor malware that can cripple a home network. In the past, Trend Micro has already reported about incidents wherein threats were found to propagate via these devices:

    As mentioned earlier, simply disabling AutoPlay just does not cut it anymore. Extra steps such as monitoring where external devices are used and updating all security software to combat potential threats should also be taken. For business users, security policies regarding data access and the use of external devices should be employed and enforced across the organization. Additional information about malware-protecting removable devices can be found in “How to Maximize the Malware Protection of Your Removable Drives.”

    Trend Micro™ Smart Protection Network™ protects users from this kind of threat by preventing the download and execution of AutoRun worms such as WORM_KOLAB.CQ on systems via the file reputation service.

    Share this article
    Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon

    • Roland Dela Paz

      Thanks for sharing us these procedures.

      After successfully disabling Autoplay in your machine, it is also a good practice to first open your removable drive via command prompt and look for suspicious files using the command "attrib". Usually, malware files have the following attributes, or any combination of the following:


      You may also check hidden folders using the command "dir /ah". I personally practice this since worm malware like the one described above will automatically execute by just merely opening the drive via Windows Explorer (even w/o Autoplay).

    • Mpu-elcom

      I use gpedit.msc to turn off autoplay.Type gpedit.msc dimenu run windows xp or 2000 Professional, select Administrative templates-> system, double-click Turn off Autoplay select enabled select turn off autoplay on All Drives then click ok.

      Or type in regedit select HKEY_CURRENT_USER-> Software-> Microsoft-> Windows-> CurrentVersion-> Policies-> Explorer . make in the right NoDriveTypeAutoRun DWORD value with a value of data ff then ok.

    • Pingback: Virus and Malware Removal Services in Dallas – Ft Worth Metro Area » Blog Archive » New AutoRun Worms Utilize Action Key()


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice