Internet Security Blog - Hackology

Explaining:Autorun.INF/AutoPlay & Downadup USB Worm



USB worms work by creating a file called AUTORUN.INF on the root of USB drives. These INF files then use Autorun or Autoplay(not the same thing!) to execute themselves either when the stick is inserted, or more commonly, when the user double-clicks on the USB drive icon from My Computer (Windows Explorer).

Removable USB Drive

Such malicious AUTORUN.INF files are easy to spot. Here’s what they typically look like:

Typical Autorun.INF

But Downadup does not create files such as this. What it drops on USB drives are AUTORUN.INF files that look like this:

Downadup Autorun.INF

So, that’s binary garbage. Won’t work. Right?

Look closer.

Downadup Autorun.INF

The noteworthy text is found somewhere around the middle of this 90kB file. At the bottom of the screenshot. See it?

Open=RUNDLL32.EXE .\RECYCLER\jwgvsq.vmx

which would execute a DLL called jwgvsq.vmx from a hidden folder on the USB drive.

The rest of the binary junk are comments and will be ignored by Windows. And of course, the file size and amount of binary junk is different every time.

Nice trick.eh ?

What to DO Now ?

Go to Group Policy by runnning gpedit.msc to turn off AutoRun for All the Drives in Window.

But USB drives don’t autoplay. It’s an Autorun action via Windows Explorer that typically infects people.

Now lets Disable AutoRun : 

Disabling Auto-Run is something we think everyone should do, not only for security from viruses and spyware, but so you’ll never need to deal being unable able to listen to your music on your devices. Here’s how to do it in Windows XP.

  • In Windows Click Start, then Click Run
  • Type regedit, Click OK
  • In regedit – Click > HKEY_LOCAL_MACHINE> SYSTEM> CurrentControlSet> Services> Cdrom> reg
  • Double click “Autorun” the value is set to 1 by default, change it to zero.
  • dword, Click OK
  • Restart.

If you can’t go with all this then you can try doing this :

From the start menu, click run and enter

GPEDIT.MSC

Must Read:  One Plus 3 Launched with stunning features

Select ‘Administrative templates / System’

double click on ‘Disable autoplay’ in the right pane

Hope this keeps things a little under control 🙂

 

 

14 comments

This site uses Akismet to reduce spam. Learn how your comment data is processed.

  • Thanks for the tip. From what I have read on the net, this is one serious worm. So by turning off this feature, it prevents the virus from automatically running from the usb. So I would then scan the flash drive before opening it. Thanks.

  • How safe is this procedure?
    When you say you’ll never need to deal being unable able to listen to your music on your devices what do you mean?

  • by now no matter how sure i am I dont double click in My Computer to open a flash drive, always write the drive letter on the address bar ensuring no autorun takes place on public computers…

    @Scared
    yup using a mash up of old techniques and methods combining to messing up again - why people make such stuff 🙂

    @Brain
    well when you know the first thing autoplay do scanning available items here and there- why not to put it in open media player and play 🙂

  • hi,

    that thing was driving me nuts, every time i plugged any usb in avast was reporting the virus/worm and no matter what i did i couldn’t make it stop (this is because it keeps replicating itself, right?) so i did what you said and now it finally stopped. thank you. i just didn’t get this double-click part, i shouldn’t use double click when opening usb drive from explorer or what? do i still have that worm if i just disabled autorun and autoplay? how do i get rid of it?

  • glad it worked..
    even i know in my computer autoplay is disabled… BUT when i open My Computer and putting in an unknown USB .. I usually enter the Flash Drive letter in the address bar.. who knows double clicking it runs that worm .. ? …
    to keep an eye on this you can use Spy-Bot (http://www.safer-networking.org/) which shows each registry change … care is all we can do ..

    Thanks

  • hey, unfortunately it worked until the next restart :mrgreen:

    but thank you.

    i have disabled autorun and autoplay like you said but when i plug in a usb it actually opens the window asking what to do. should that happen?

    but anyway, i managed to solve my problem. the cmd prompt thing in safe mode with attrib -s -h -r and del afterwords didn’t work. neither did reformatting of the stick. i guess the worm/virus gets into the drive right? but this can’t be seen unless usb is plugged in. so i downloaded something called autorun eater and also replaced my avast with antivir. anitvir found some bas things so i deleted those 😀 and autorun eater worked. but i also had to erase the recycler file (that’s the worms home 👿 ) in usb drive (which is normally hidden). i did this by right click -> properties -> unmarked “read only” -> delete! success! i did the same thing with my other stick and reformatted it afterward just in case 😀
    they both work great. i just wanted to share this 🙂
    i think i know where i got the worm - when i went to get some photos done.
    so i need some good protection for my usbs, do you have any suggestions?

  • @ An4 :
    1. plugin your USB
    2. Start -> Run (Or type in search box if you have Vista/Windows 7)
    3. type X:\autorun.inf where X is the drive letter of your USB drive
    4. note the .exe files and use command prompt to delete them.
    5. delete autorun.inf using the command prompt at the end !!
    6. Scan your USB now, remove, plug it back in, scan again and you will be good to go !!

  • @fadi:

    thanx. my usbs are fine now, like i said, i found a way to solve it 🙂 i was wondering if there is anything i can do to prevent this from happening?
    is there a protection for usbs? 🙂

  • @ Arshad
    yes such applications are available in the market , i have seen many others like USB LOCK - USB protect and all that which basicly do the same thing, Its good to know about the situation then you will be more confident while using an application you might not be able to get hold of it in every area …
    Thanks

  • hey i was just wondering whether or not after following the steps whether all the data is deleted? I have got an i pod and the message comes up when i plug it in how do i get rid of the problem without deleting all the music off the device (ipod) please reply quickly

  • No your songs won’t be deleted… the post’s procedure will only stop the iPod’s drive from showing the autorun menu and preventing spread of virus etc.

    Do scan your iPod with some AV etc. too after this procedure !!



Get Wise

Subscribe to my newsletter to get latest InfoSec / Hacking News (1 Email/week)
Brave Browser Message

Pin It on Pinterest

Shares
Share This