Conficker’s Autorun.inf

Sophos posted a blog entry today about a new sample of Conficker worm. The worm uses Autorun.info to spread by USB and remote/detachabble drives. It is detected as W32/Confick-D.

The entry includes two screenshots. One showing what Autorun.inf for W32/Confick-D looks like after removing the word ‘garbage’.

The second screenshot shows a german sample. The phrase/action ‘Open folder…’ is replaced.

The author of the entry, Pob, notes that this is the first time that that his team have seen Autorun.inf is being generated dynamically.

Source: Sophos

Join 15,600+ other happy readers and subscribe to Technibbles Email Digest and receive new posts sent directly to your inbox. All new signups get a copy of our Computer Technicians Quick Reference Guide free. Signup Now!

Your Blogmaster is Lee
Lee is a computer enthusiast and technology writer.

Other Blog posts by Lee

Jimmy James says:

July 5th, 2009 at 1:04 am

A great way to protect against ‘autorun.inf’ threats is to make a folder called ‘autorun.inf’ in the root of the drive. Anything that tries to save an autorun is redirected to this folder, and thus it doesn’t autorun. Remember that this won’t protect you from every threat, things such as ‘virut’ will infect all your exe’s, but can usually be cleaned using DrWeb CureIT in UBCD4WIN