Due to its Autorun function

Jan 4, 2008 22:06 GMT  ·  By

The recent avalanche of threats proved us that many, if not the majority of threats attempt to spread themselves by copying their files on clean removable drives connected to an infected computer. Usually, this process is based on Autorun.Inf, a file placed on the targeted removable devices that executes the infection once they are connected to the computers. Roel of Viruslist.com has done an interesting analysis over the Windows Autorun function, concluding that Vista is somehow more secure than XP when it comes to this kind of infections.

It all started from an infected MP3 player, which apparently got the Worm.Win32.Fujack.aa worm even before it has been connected to a computer. "Of course, we've contacted the company concerned. They told us they were aware that a few months ago there was a partially infected batch of these MP3 players, and that they'd taken steps to fix the problem. It was only this particular model - the Victory LT-200 that was affected", Roel wrote in his analysis.

But, let's get back to the Windows Autorun function. So, we all know now that this type of worm attempts to launch the Autorun.inf file in order to compromise a system. Connecting a USB device to a Windows XP with Service Pack 2 computer brings up a dialog asking for user's choice: open the folder to view files or several other options. However, double-clicking on the removable drive executes the commands placed into the Autorun.inf file, in our case launching the infection.

Windows Vista is different, Roel noted. Conducting the same action in Windows Vista opens the content of the drive and doesn't launch the infection. However, the dialog opened when the USB connection is detected, allows users to open the folder to view files, but also to launch the setup, which in our case equals to launching the infection.

"This case shows clearly that you should always exercise caution when handling unknown external storage media, whether it's fresh out of the box or passed to you by a friend or colleague. One of the best precautions against getting infected is to make sure that your virus scanner is on. In most cases it takes a while for an infected device to be shipped from the factory to the store, so antivirus software is very likely to detect the malware that's caused the infection", Roel concluded.