AutoInf

Name

AutoInf

Detection names

Mal/AutoInf-A, Mal/AutoInf-B, Mal/AutoInf-C [Sophos]

Worm.Win32.AutoRun, Trojan.Win32.AutoRun [Kaspersky]

TR/Virtool.INF.Autorun, TR/AutorunINF, TR/Autorun [Avira]

Generic!atr, Generic Autorun!inf.g [McAfee] TROJ_AUTORUN [Trend Micro]

Worm:Win32/Autorun!inf, VirTool:INF/Autorun.gen [Microsoft]

Trojan.Gen, Trojan Horse [Symantec]

Affected OS or Software

Microsoft Windows

Basic description

AutoInf is a component used by many malware families, notably Conficker, Sality and AutoRun. AutoInf is used to automatically run associated malware from removable media such as USB drives.

Technical description

AutoInf is the malicious use of an autorun.inf file, usually on removable media. On unpatched Microsoft Windows computers the autorun.inf file is interpreted by the operating system and the commands it contains are followed automatically when a device is connected. Usually this means that malware on an infected device is run without any further user interaction. Older worms use this as a means of spreading from computer to computer via USB drives. They may also create these files on network drives. Microsoft issued a patch disabling autorun by default in February 2011 but despite this AutoInf is still commonly seen due to its use by older worms and their propagation across unpatched computers.

Even when autorun is disabled, version of Windows before Windows 7 may display the autorun action as an available option in an AutoPlay dialog. Some versions of AutoInf also use a deceptive name and icon in this dialog in order to confuse users into selecting a dangerous action. This is usually done by creating a duplicate entry for the "Open folder to view files" action.

conficker autoplay

Related links

Defending against the threat

Microsoft disabled autorun functionality on Windows operating systems in a patch issued in February 2011. Ensuring that the computer is fully patched will minimise the effects of AutoInf.

Patches

Microsoft KB971029 - Disable autorun

Sophos technologies

Sophos Endpoint Security provides detection of AutoInf and associated malware.
Device control functionality of Sophos Endpoint Security can be used to prevent unauthorised USB devices from connecting to PCs.

Buy one of our products now

How to buy our products

© 1997 - 2013 Sophos Ltd. All rights reserved. Legal Privacy Cookie Information