The Conflict of Autorun.inf

UPDATE: 20 Jan 10.00 GMT. See Below.

SophosLabs received a new sample associated with the Conficker worm (1, 2) today. We first saw an Autorun.inf associated with Conficker earlier this month (W32/Confick-D). The Autorun.inf allows Conficker to spread by USB devices and remote drives (advice on how to combat USB-aware malware is here).

As has been mentioned on the F-Secure blog (they call it Downadup), Conficker’s Autorun.inf files look like random binary garbage. However, when you look closer the files are valid.

After removing the ‘garbage’ the Autorun.inf for W32/Confick-D looked like this:

Today’s sample however was slightly different. Instead of the ‘Open folder…’ action, this time it was in German.

This wasn’t surprising as the sample came from Germany. However, it is the first time we have seen an Autorun.inf being generated dynamically in this manner by malware. W32/Confick-D has been updated.

Update:
Based on further analysis of this threat over the weekend SophosLabs released Mal/ConfInf-A last night.

Posted on January 16th, 2009 by Pob, SophosLabs, UK
Filed under: General, Malware

Windows 7 security - A great leap forward or business as usual?

About SophosLabs

SophosLabs protects businesses from known and emerging malware - viruses, rootkits and spyware - and other computer threats like phishing, spam and scams. Learn more about the people who write this blog.

RSS feed

Hot video

International Kill-A-Zombie Day

SophosLabs blog