Name
Autorun
Detection names
Sophos W32/Autorun-BQJ, W32/Autorun-QN, W32/Autorun-ARS
Kaspersky Trojan.WinLNK.Runner.bl, Worm.Win32.AutoRun.pex, Worm.Win32.VBNA.iby
Avira Worm/Autorun.cwev, Worm/Autorun.pex, Worm/VBNA.iby
McAfee Generic!atr, Downloader-CJX.gen.g
Trend Micro LNK_DORKBOT.SMI, Mal_Otorun1, WORM_VB.SMP
Microsoft Worm:Win32/Dorkbot!lnk, Worm:Win32/Hamweq!inf, Worm:Win32/Vobfus.C
Symantec W32.IRCBot.NG, W32.Changeup
Affected OS or software
Microsoft Windows
Basic description
Autorun is a family of worms and viruses for the Windows platform. The family gets its name from its use of the USB autorun functionality to automatically execute when an infected USB device is connected to a PC. The members of the Autorun family also use other methods of spread including file infection and traversing network shares.
Related links
Microsoft says good riddance to Autorun
Fake Microsoft update spreads worm
Defending against the threat
Autorun spreads predominantly via USB devices and network connections so endpoint security is a key defense. Some versions have been seeded into networks using email attachments, making email security a secondary defense against selected Autorun variants.
Patches
Microsoft KB971029 - Disable autorun
Sophos technologies
Sophos Endpoint Security provides detection of autorun worms and their associated behaviors.
Device control functionality of Sophos Endpoint Security can be used to prevent unauthorised USB devices from connecting to PCs.
Technical description
Autorun is a family of worms and viruses for the Windows platform. The family gets its name from its use of the USB autorun functionality to automatically execute when an infected USB device is connected to a PC. There are over 1,800 known variants in the Autorun family.
Autorun worms spread by USB device, creating a copy of the worm on the device using a random name and then creating an autorun.inf file on the device so that when it is iserted into a PC the worm will run automatically. In early 2011 Microsoft released a patch that removes the autorun functionality from Windows but Autorun worms had already implemented other methods of spread. For example, in addition to autorun.inf some versions also created shortcuts on the USB device which might tempt or fool a user into clicking on them. They used shortcut names such as Documents.lnk and Music.lnk to imitate commonly used folders or names such as Passwords.lnk to pique a user's curiosity.
Once running, the worm will typically install itself and add registry entries to ensure that it is run whenever a user logs on.
Registry entries are commonly created under:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
or
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
The installed copy of the worm may use names similar to legitimate Windows processes in order to hide from a casual observation of the running tasks. For example W32/Autorun-BJQ uses the name svchots.exe, which could easily be mistaken for the legitimate file svchost.exe.
Some verions of Autorun also use file infection as another means of spreading, attaching their own code to files that already exist on the computer.
After infecting a PC, Autorun worms will commonly attempt to download further malware or instructions. In order to do this the worms may modify Windows firewall setttings, allowing them to communicate with command and control servers.