La información de esta sección del sitio Web se actualiza continuamente. Para ofrecer la información más reciente, ésta sólo se publica en inglés.

Virus Profile: W32/Autorun.worm.df

Threat Search
Imprimir
   
Virus Profile information details
Risk Assessment: Home Low | Corporate Low
Date Discovered: 20/06/2008
Date Added: 20/06/2008
Origin: N/A
Length: Varies
Type: Virus
Subtype: Worm
DAT Required: 5322
Removal Instructions
   
 
 
   

Description

This description is for worms that are created using a Tool-Kit, which is detected as Htool-T2W.
 
Worms created using this Tool-Kit are capable of spreading through removable devices.

The characteristics of this worm in regards to file names, folders created etc. will differ from one version to another. Hence, this is a general description.

Indication of Infection

Presence of an autorun.inf file on the root of removable and fixed drives, similar to the one below:

Methods of Infection

This worm spreads by copying itself to network shares and to removable devices, along with an “Autorun.inf”.

Infection starts either with manual execution of the infected file or by simply navigating to the folders containing the infected files, whereby the “Autorun.inf” file could cause automatic execution of the worm.

Aliases

Backdoor.Generic.31058 [BitDefender], BackDoor.Generic9.ABBX [AVG], BKDR_ABBX.A [TrendMicro], Constructor.Win32.VB.ec [Kaspersky], Trojan.DR.VB.EEGB.Gen [VirusBuster], Trojan.Dropper-6511 [ClamAV], Trojan.Win32.Agent.cnd [Ikarus], Trojan.Win32.Agent.cnd [VBA32], W32/Smalldoor.BBOI [Norman], Win32/VB.EC [Nod32]
   

Virus Characteristics

Worms created using this Tool-Kit can typically drop files into the %system% folder. The worm can also drop a copy of itself along with an AutoRun.inf configuration file in all removable devices, the root of all fixed drives and the system folders.

"Autorun.inf" is a text based configuration file which instructs the Windows operating system to perform some action upon opening a network shared drive, local folder, floppy drive, CD-ROM drive or the insertion of a removable disk drive.
This configuration file is usually intended as a convenience feature, however is often misused by malware authors to create malware that spread automatically without any user interaction.

Note:

  • %System% is a variable that refers to the System folder.
    By default, this is C:\Windows\System32 for Windows XP

The worm can also create a startup entry which will enable the worm’s execution at system startup. An example of such an entry would be:

  • HKEY_Local_Machine\Software\Microsoft\Windows\CurrentVersion\Run
    Data: Trojan
    Value: C:\Windows\system32\trojan.exe

Miscellaneous Information:

Users who would like to prevent worms which execute without any user interaction using an “AutoRun.inf” file, can disable the Windows AutoRun feature completely with the help of the Windows group policy editor (Gpedit.msc).

ScreenShot below:

   

A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.

Additional Windows ME/XP removal considerations

   

¿Su equipo está infectado? Obtenga ayuda de expertos.

McAfee
Servicio de eliminación de virus

Póngase en contacto telefónico con uno de nuestros expertos en seguridad. Solucione el problema de su equipo a distancia y, mientras, observe cómo se hace.

$89.95 (USD)

Anuncio