Content

W32/Conficker.worm!inf

Type
Virus
SubType
Worm
Discovery Date
01/07/2009
Length
Minimum DAT
5488 (01/07/2009)
Updated DAT
5556 (03/17/2009)
Minimum Engine
5.2.00
Description Added
01/07/2009
Description Modified
01/28/2009 6:26 AM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

This is a generic detection for a configuration text file (autorun.inf) used by the W32/Conficker.worm. This file is usually dropped onto the root of all removable drivers and mapped drives in an attempt to autorun an executable when the drive is accesed.

The size for this file varies.

Some copies of this file has the System (S) and Hidden (H) attributes present in attempt to hide the file from certain, default, viewing options within Windows Explorer.

The contents of the file are similar to the following:

....Garbage......

shelLExECUte=RuNdLl32.EXE .\RECYCLER\S-x-x-xx-2819952290-8240758988-879315005-xxxx\jwgkvsq.vmx,ahaezedrn

.....Garbage....

Upon Autorun being initiated the file is executed and infection occurs, because this infection is instigated locally the worm does not need to exploit ms08-067, so having applied the patch will not stop the infection.

 

 

Symptoms

The presence of autorun.inf files on the root of all removable drives or mapped network drives containing information similar to that described in the "Characteristics" section.

Method of Infection

Infection starts either with manual execution of the binary or by navigating to folders containing an Autorun.inf whereby the autorun.inf files can cause auto-execution.

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

This is a generic detection for a configuration text file (autorun.inf) used by the W32/Conficker.worm. This file is usually dropped onto the root of all removable drivers and mapped drives in an attempt to autorun an executable when the drive is accesed.

Characteristics

Characteristics -

This is a generic detection for a configuration text file (autorun.inf) used by the W32/Conficker.worm. This file is usually dropped onto the root of all removable drivers and mapped drives in an attempt to autorun an executable when the drive is accesed.

The size for this file varies.

Some copies of this file has the System (S) and Hidden (H) attributes present in attempt to hide the file from certain, default, viewing options within Windows Explorer.

The contents of the file are similar to the following:

....Garbage......

shelLExECUte=RuNdLl32.EXE .\RECYCLER\S-x-x-xx-2819952290-8240758988-879315005-xxxx\jwgkvsq.vmx,ahaezedrn

.....Garbage....

Upon Autorun being initiated the file is executed and infection occurs, because this infection is instigated locally the worm does not need to exploit ms08-067, so having applied the patch will not stop the infection.

 

 

Symptoms

Symptoms -

The presence of autorun.inf files on the root of all removable drives or mapped network drives containing information similar to that described in the "Characteristics" section.

Method of Infection

Method of Infection -

Infection starts either with manual execution of the binary or by navigating to folders containing an Autorun.inf whereby the autorun.inf files can cause auto-execution.

Removal -

Removal -

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A