Internet Security Blog - Hackology

Explaining:Autorun.INF/AutoPlay & Downadup USB Worm

USB worms work by creating a file called AUTORUN.INF on the root of USB drives. These INF files then use Autorun or Autoplay(not the same thing!) to execute themselves either when the stick is inserted, or more commonly, when the user double-clicks on the USB drive icon from My Computer (Windows Explorer).

Removable USB Drive

Such malicious AUTORUN.INF files are easy to spot. Here’s what they typically look like:

Typical Autorun.INF

But Downadup does not create files such as this. What it drops on USB drives are AUTORUN.INF files that look like this:

Downadup Autorun.INF

So, that’s binary garbage. Won’t work. Right?

Look closer.

Downadup Autorun.INF

The noteworthy text is found somewhere around the middle of this 90kB file. At the bottom of the screenshot. See it?

Open=RUNDLL32.EXE .\RECYCLER\jwgvsq.vmx

which would execute a DLL called jwgvsq.vmx from a hidden folder on the USB drive.

The rest of the binary junk are comments and will be ignored by Windows. And of course, the file size and amount of binary junk is different every time.

Nice ?

What to DO Now ?

Go to Group Policy by runnning gpedit.msc to turn off AutoRun for All the Drives in Window.

But USB drives don’t autoplay. It’s an Autorun action via Windows Explorer that typically infects people.

Now lets Disable AutoRun : 

Disabling Auto-Run is something we think everyone should do, not only for security from viruses and spyware, but so you’ll never need to deal being unable able to listen to your music on your devices. Here’s how to do it in Windows XP.

  • In Windows Click Start, then Click Run
  • Type regedit, Click OK
  • In regedit – Click > HKEY_LOCAL_MACHINE> SYSTEM> CurrentControlSet> Services> Cdrom> reg
  • Double click “Autorun” the value is set to 1 by default, change it to zero.
  • dword, Click OK
  • Restart.

If you can’t go with all this then you can try doing this :

From the start menu, click run and enter


Must Read:  Facebook Libra Coin & Bitcoin Rally are not Linked

Select ‘Administrative templates / System’

double click on ‘Disable autoplay’ in the right pane

Hope this keeps things a little under control 🙂



Get Wise

Subscribe to my newsletter to get latest InfoSec / Hacking News (1 Email/week)
Brave Browser Message

Pin It on Pinterest

Share This