More Fun – With Autorun :(

Picked this up this morning – worth having a look

W32/VBNA-X worm spreads quickly through networks and removable media

SophosLabs researchers have noticed a significant increase in the spread of malware we call W32/VBNA-X (among other names).

Several other vendors, including McAfee (W32/Autorun.worm.aaeb) and Symantec (W32.ChangeUp), have been alerting their customers as well. While the basic components of this malware have been around for some time, it has become considerably more aggressive in its latest iteration.


W32/VBNA-X is a worm, but also exhibits characteristics typically found in a Trojan. Its most obvious method of spreading appears to be through the use of autorun.inf files dropped on removable media and writable network shares.

You would hope this technique wouldn’t be too effective on today’s PCs, though. Microsoft released updates for XP, 2003 and Vista in February 2011 to disable Autorun on all media aside from “shiny discs.”

It is still not a bad idea to disable Autorun/Autoplay more completely, which is quite easy to do according to Microsoft’s instructions, which include a “FixIt.”

Most PCs will ignore autorun.inf files these days, so people must be clicking on the malware itself, but why?

It appears to be a cocktail of clever social engineering, poor default settings and user carelessness.

After creating the autorun.inf file for the unpatched victims, it begins to enumerate all of the file and folder names on writable shares and removable devices.

For example, say your E: drive is a network share with folders named au and r and files named as.txt and Adobe.pdf.

It will set all of these to have the hidden attribute and set a registry key to ensure hidden files are not displayed.

Then it will create copies of itself called Porn.exe, Sexy.exe, Passwords.exe and Secret.exe in addition to creating a copy of itself for each legitimate file and folder present on the volume.

The duplicates of the original folders and files will have their icons set to the standard folder icon in Windows 7.


Further details available here