Preventing a virus from using the AutoRun feature to spread itself

Article:TECH104447  |  Created: 2008-01-21  |  Updated: 2013-12-12  |  Article URL http://www.symantec.com/docs/TECH104447
Article Type
Technical Solution


Issue



It appears that a virus is using the AutoRun feature in Windows to spread itself. Whenever a USB drive is inserted or other computers connect to the network a file called "autorun.inf" appears at the root of the new drive and the installed antivirus product detects a threat.


Cause



Windows uses the autorun.inf file to:

  • Identify which file to run when new media is inserted, or
  • Identify which options to present in an AutoPlay dialog
     

Viruses and other malware will attempt to use this feature to infect new computers when devices or media (like a USB drive) are moved between computers.

Note: The "autorun.inf" file in and of itself, is not malicious. It is simply a text file.


Solution



Note:  To check if the computer in question is configured according to this best practice, download and run a 'scan for common issues' in SymHelp.

The autorun.inf file when viewed in a text editor typically contains lines similar to the following:

[AutoRun]
open=<filename.exe>

If you suspect that an infection is using AutoRun but the file <filename.exe> pointed to by autorun.inf is not detected by Symantec Endpoint Protection (SEP), please submit the file to Symantec Security Response using the instructions in the following article:

Even when SEP detects and deletes the <filename.exe> threat, the autorun.inf text file may not always be deleted since both benign and malicious files can use  autorun.inf.

To permanently prevent threats from using the AutoRun feature the following options are available:

  • Install a Windows hotfix to disable AutoRun on USB drives
    This hotfix leaves AutoRun working only with CD and DVD drives, disabling USB which is the most common AutoRun method used by malware to spread.The update applies to Windows XP, 2003, Vista, 2008.
    http://support.microsoft.com/kb/971029

     
  • Disable AutoPlay in your environment using a Group Policy Object (GPO)
    Follow the instructions in the following Microsoft TechNet Security Watch article; under Managing AutoPlay in Your Network.
    http://technet.microsoft.com/en-us/magazine/cc137730.aspx

     
  • Disable the AutoRun functionality using the registry
    This Microsoft KB article explains how to disable AutoRun using the NoDriveTypeAutoRun registry key.
    http://support.microsoft.com/kb/967715/

     
  • Use a Symantec Endpoint Protection Application and Device Control policy
    Protection features within the Symantec Endpoint Protection product can be used to block the AutoRun functionality.
    http://www.symantec.com/docs/TECH104909


     

Further information about AutoRun and AutoPlay is also available at the following:



Legacy ID



2008032111570648


Article URL http://www.symantec.com/docs/TECH104447


Terms of use for this information are found in Legal Notices