When is AUTORUN.INF really an AUTORUN.INF?

Newsfeed

Nachrichtenbote
In addition to everything else, Downadup is also a USB worm.

USB worms work by creating a file called AUTORUN.INF on the root of USB drives. These INF files then use Autorun or Autoplay (not the same thing!) to execute themselves either when the stick is inserted, or more commonly, when the user double-clicks on the USB drive icon from My Computer (Windows Explorer).

downadup_autorun_inf.png


Such malicious AUTORUN.INF files are easy to spot. Here's what they typically look like:

autorun_inf.png


But Downadup does not create files such as this. What it drops on USB drives are AUTORUN.INF files that look like this:

downadup_autorun_0.png


So, that's binary garbage. Won't work. Right?

Look closer.

downadup_autorun_1.png


The key bit is found somewhere around the middle of this 90kB file. At the bottom of the screenshot. See it?

Open=RUNDLL32.EXE .\RECYCLER\jwgvsq.vmx

…which would execute a DLL called jwgvsq.vmx from a hidden folder on the USB drive.

The rest of the binary junk in the file are comments and are ignored by Windows. And of course, the file size and the amount of binary junk is different every time.

Nice trick. On 07/01/09 At 12:52 PM



Weiterlesen...
 
Zurück
Oben