Worm.Win32.AutoRun

General Explanation

Type: Worm

Degree of destruction: high

Prevalence: high

What is the Worm?

Computer worms such as Autorun are types of malware that are capable of reproduction. For permanence, worms set ways to maintain the infection in each system boot. The prominent feature of worms is in their distribution which is generally perform through portable drive and shared directories in the network.

What is AutoRun malware?

This malware is a worm that proceeds to store system data and sends the stored data to the attacker.  This type of malware distributes through portable drives and usually creates Autorun.inf files in the portable files, and as it is obvious by its name, these files are used to automatically execute malicious files that are placed in the portable drives. Unfortunately, today, a vast majority of malware use autorun files to distribute themselves.

Technical Explanation

In some examples, this malware has a Keylogger module that will save pressed keys by the keyboard. The activity of the Keylogger is to create a file with .info extension and store information in this file. Also, malware will run in every system boot; this malware checks the type of different drives and if the drives are portable, it will hide the folders included in the portable drive. The malware will compare its executing processes with the list of security software and if the list is comprising of the executing processes, it will end the execution of the mentioned processes.

Signs of infection

  1. Changing the registry keys and convert them to Supper Hidden and Hidden for three execution files made by malware
  2. Hiding the existence folder in the portable drives.
  3. This malware will place its execution files in the following registry to keep its permanence:
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
  4. It is looking for a portable drive, then it will hide all the folders that are included in the drive and creates an exe file from them.
  5. It will create the following files in the Flash Drive, as well as a copy of the original malware and an autorun.inf file.
  6. Copying an infected file on all drives and creating a link to it by using an autorun.inf file.

How to deal with it and disinfect the system

By UMP capability that is a part of behavioral protection, Padvish can prevent the system from infection through a portable drive. Therefore, to prevent infection to all types of malware that transfer through portable drives such as Autorun malware, it is recommended to install Padvish and prevent malware from entering and infecting the system.

If your system is infected by the AutoRun malware, follow these steps:

  1. Install Padvish antivirus on your system
  2. Connect the portable drive to your system
  3. Scan the portable drive with Padvish to disinfect your portable drive and infected system

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>