Win32/SillyAutorun.FTW worm infects removable drives – TotalDefense Blog1. Copyright © 2013 TotalDefense, Inc. | All rights reserved www.totaldefense.com Page 1
New worm infects removable drives.
Yet another worm that infects removable drives was discovered.
The Win32/SillyAutorun.FTW was recently found in the wild. The worm is written with Microsoft Visual
Studio and uses injection engine - worm's code overwrites the original code in memory. When it runs on
infected machine, it first
copies itself to %ApplicationData%E-73473-3674-74335msnrsmsn.exe; where %ApplicationData% is
application data folder of the current user, for example:
C:Documents and SettingsAdministratorApplication DataE-73473-3674-74335msnrsmsn.exe.
The worm terminates its initial process and runs the cloned file. Then writes registry key to run after
every reboot:
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRunMicrosoft3264OSUpdate
Then the worm verifies whether removable drive is connected to the computer and starts infecting it.
A difference from previously found worms is that the drive is infected not immediately but after some
time, also all the infected files are written not at once, but one by one. This is a human engineering
trick that prevents worm detection by infected users - a user inserts a USB key and does not see any
immediate change, so the user does not suspect that the computer is actually infected. The method of
infection is similar to known ones, but has some differences - link files are used. For every folder in the
root directory of the drive the worm creates link file named after the folder with appended "s", for
example folder "Documents" it creates "Documentss.lnk". The folders attributes are changed to hidden
and system, so they are invisible in Explorer if option "Show hidden files" is not chosen. The worm
additionally changes this option at infected computer via registry.
The links are seen instead of folders, a user inserts infected USB drive, clicks on the link of the worm
instead of the folder and gets infected. Further the worm creates hidden folder "Drivers" on infected
USB and copy itself named after the hidden folder, for example:
F:Documents - hidden folder
F:Documentss.lnk - link to worm
F:DriversDocuments.exe - worm's copy responsible for this folder
The folder's icon is icon of shell - same as icon of folder. Clicking the link runs a copy of the worm that
infects the computer and then displays the content of the folder to avoid suspicion.
2. Copyright © 2013 TotalDefense, Inc. | All rights reserved www.totaldefense.com Page 2
The recommendations to avoid the infection are same as ones for similar worms. Turn ON the options
to "Show hidden files" and "Show extension" in Explorer. Or, even better, do not use Explorer, use
different file manager instead, since Explorer is often a victim of malware.
Additionally, the worm uses IRC to send messages in different languages with infected attachment, for
example:
belas fotos nao de voce
vakre bilder fra deg.
hoi niet mooi fotos
ich sag nur geile fotos.
About TotalDefense:
Total Defense(@Total_Defense) is a global leader in malware detection and anti-crimeware solutions.
We offer a broad portfolio of leading security products for the consumer market used by over four
million consumers worldwide. Our solutions also include the industry’s first complete cloud security
platform, providing fully integrated endpoint, web and email security through a single Web-based
management console with a single set of enforceable security policies
Total Defense is a former business of CA Technologies, one of the largest software companies in the
world, and has operations in New York, California, Europe, Israel and Asia.
Visit http://www.totaldefense.com/ for web, cloud & mobile security solutions for home users and
businesses.