Autorun.inf is prevalently used by worms as an autostart technique. Through this file, the worm is able to automatically execute whenever an infected drive is accessed. Over time, users have been able to think of workarounds to manually remove the malware file while preventing it from executing. Some of these are:
- Using command prompt to manually delete the file
- Disabling AutoPlay
- Using Windows Explorer (right-clicking then choosing Explore)
Similarly, malware proponents also continue to find new techniques to proliferate their malicious creations despite workarounds that users employ to prevent them from automatically running on their systems. One way by which this is done is through the use of autorun.inf’s Action Key.
Action Key is one of the parameters in autorun.inf, which is only supported in removable and fixed drives. Its main purpose is to specify the text that appears in the AutoPlay dialog for the handler representing the program specified in the open or shellexecute entry in the media’s autorun.inf file.
In order to bypass workarounds like disabling AutoPlay and using Windows Explorer, the worm utilizes this parameter by declaring a text in the Action Key, which may be any of the following:
- Open folder to view files
- Open folder to view files using Windows Explorer
On example of this is a thumb drive worm detected by Trend Micro as WORM_KOLAB.CQ whose AutoRun code is shown below.
By using the action=Open folder to view files, the malware file is then executed whenever a user tries to open an infected drive via Windows Explorer.
As cybercriminals continue to find ways to make sure that their malware gets into target systems, it is important for users to also take extra precaution to prevent malware from getting into their systems. External devices such as digital picture frames, iPods and other MP3 players, PDAs, USB sticks, flash drives, and digital cameras can harbor malware that can cripple a home network. In the past, Trend Micro has already reported about incidents wherein threats were found to propagate via these devices:
- McDonald’s Japan Recalls Promotional MP3 Players
- Get Your IPOD Now—And Get a Free Worm!
- Digital Photo Frames Frame Up?
As mentioned earlier, simply disabling AutoPlay just does not cut it anymore. Extra steps such as monitoring where external devices are used and updating all security software to combat potential threats should also be taken. For business users, security policies regarding data access and the use of external devices should be employed and enforced across the organization. Additional information about malware-protecting removable devices can be found in “How to Maximize the Malware Protection of Your Removable Drives.”
Trend Micro™ Smart Protection Network™ protects users from this kind of threat by preventing the download and execution of AutoRun worms such as WORM_KOLAB.CQ on systems via the file reputation service.