Content

Generic!atr

Type
Trojan
SubType
Configuration file
Discovery Date
01/31/2007
Length
varies
Minimum DAT
4953 (01/31/2007)
Updated DAT
6542 (11/26/2011)
Minimum Engine
5.4.00
Description Added
01/31/2007
Description Modified
12/21/2010 12:08 PM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

--Updated on December 22, 2010 ----

File Information

  • MD5  -  C2B5C216DD47159EF76B1158E4ACA837
  • SHA  - 202EBAC554FC658BD736394AE06F3ECAFAB94422

Aliases

  • BitDefender - Worm.Autorun.VLX
  • GData         - Worm.Autorun.VLX
  • Microsoft    - VirTool:INF/Autorun.gen!A
  • TrendMicro - Mal_Otorun2

This is a generic detection for a configuration text file (autorun.inf) used by many worms.

This file is usually dropped onto the root of all removable drivers and mapped drives in an attempt to autorun an executable when the drive is accesed.

The file "AutoRun.inf" is pointing to the malware binary executable. When the removable or networked drive is accessed from a machine supporting the Autorun feature, the malware is launched automatically.

The autorun.inf is configured to launch the trojan file via the following command syntax.

  • [AutoRun]
  • open=skg1.exe
  • shell\open\Command=skg1.exe

--------------------------------------------------------------------

This is a generic detection for a configuration text file (autorun.inf) used by many worms. This file is usually dropped onto the root of all removable drivers and mapped drives in an attempt to autorun an executable when the drive is accesed.

The size for this file varies. The size differs based on the length of the filename being referenced inside the .inf file.

Some copies of this file has the System (S) and Hidden (H) attributes present in attempt to hide the file from certain, default, viewing options within Windows Explorer.

The contents of the file are similar to the following:

[Autorun]
open=<WORM>.exe
shellexecute=<WORM>.exe
shell\Auto\command=<WORM>.exe

Symptoms

The presence of autorun.inf files on the root of all removable drives or mapped network drives containing information similar to that described in the "Characteristics" section.

Method of Infection

Infection starts either with manual execution of the binary or by navigating to folders containing infected files whereby the autorun.inf files can cause auto-execution.

Removal

A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.

 

Variants

Variants

    N/A

All Information

Overview -

This is a generic detection for a configuration text file (autorun.inf) used by many worms. This file is usually dropped onto the root of all removable drivers and mapped drives in an attempt to autorun an executable when the drive is accesed.

Characteristics

Characteristics -

--Updated on December 22, 2010 ----

File Information

  • MD5  -  C2B5C216DD47159EF76B1158E4ACA837
  • SHA  - 202EBAC554FC658BD736394AE06F3ECAFAB94422

Aliases

  • BitDefender - Worm.Autorun.VLX
  • GData         - Worm.Autorun.VLX
  • Microsoft    - VirTool:INF/Autorun.gen!A
  • TrendMicro - Mal_Otorun2

This is a generic detection for a configuration text file (autorun.inf) used by many worms.

This file is usually dropped onto the root of all removable drivers and mapped drives in an attempt to autorun an executable when the drive is accesed.

The file "AutoRun.inf" is pointing to the malware binary executable. When the removable or networked drive is accessed from a machine supporting the Autorun feature, the malware is launched automatically.

The autorun.inf is configured to launch the trojan file via the following command syntax.

  • [AutoRun]
  • open=skg1.exe
  • shell\open\Command=skg1.exe

--------------------------------------------------------------------

This is a generic detection for a configuration text file (autorun.inf) used by many worms. This file is usually dropped onto the root of all removable drivers and mapped drives in an attempt to autorun an executable when the drive is accesed.

The size for this file varies. The size differs based on the length of the filename being referenced inside the .inf file.

Some copies of this file has the System (S) and Hidden (H) attributes present in attempt to hide the file from certain, default, viewing options within Windows Explorer.

The contents of the file are similar to the following:

[Autorun]
open=<WORM>.exe
shellexecute=<WORM>.exe
shell\Auto\command=<WORM>.exe

Symptoms

Symptoms -

The presence of autorun.inf files on the root of all removable drives or mapped network drives containing information similar to that described in the "Characteristics" section.

Method of Infection

Method of Infection -

Infection starts either with manual execution of the binary or by navigating to folders containing infected files whereby the autorun.inf files can cause auto-execution.

Removal -

Removal -

A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.

 

Variants

Variants -

    N/A