Kaspersky warns of new 'AutoRun' malware

At least two new Internet worms exploiting the AutoRun feature in Microsoft's Windows operating system are threatening computer users, security vendor Kaspersky Labs said over the weekend.

 

Kaspersky Lab expert Konstantin Markov said the two "special" worms are Worm.JS.AutoRun and Worm.Java.AutoRun, also known as HEUR:Worm.Script.Generic and HEUR:Worm.Java.Generic.

 

"These two worms have three key features in common: heavy obfuscation, backdoor-type essential payloads, and similar methods of propagation. Both worms spread by copying themselves and the configuration file autorun.inf into the root folders of logical volumes of removable storage media and network disks," Markov said in a blog post.

 

"If these infected storages are opened on other computers, the infection can spread. Having infected the operating system and established a foothold on the victim computer, the malicious programs deploy their principal payload," he added.

 

He said the two new worms are polymorphic, meaning they can modify their bodies and complicate their detection.

 

Markov said the Autorun.inf file "ensures the worm is launched automatically when infected external storage media or a mounted network drive is opened."

 

Autorun.inf is a feature that allows a file to run automatically on Windows. But security concerns prompted Microsoft to issue updates to disable the feature by default.

 

Yet, Markov also noted a dramatic rise in the number of new Worm.Java.AutoRun modifications in the last three months.

 

Markov said the Kaspersky Security Network showed the worm is "most widely distributed in India and Malaysia."

 

"The malware receives commands via a file downloaded from the command center. These instructions are mostly about collecting information from the infected system. In particular, cybercriminals want the worm to gather information about the system, the user and the installed software," he said. —VC, GMA News