It has always been observed that autoplay/autorun feature of MS windows OS is one of the most preffered selection of malware propagation.We've witnessed some devastating examples of malware which used this feature effectively to replicate and converting a single machine infection to a malware outbreak with in first few hours.Conficker a.k.a W32.downadup is the most recent example of such malware.But this is not at all a new method of infection,rather this method of infection is there since decades.Some more popular examples are Trojan.Brisv.A!inf,W32.Gammima and many more in the long list.
KB 971029 - A good step towards malware propagation prevention.
Created: 17 Sept 2009 • Updated: 17 Sept 2009 • 7 comments
Many other AV vendors detect autorun.inf but Symantec does not.Many people take it in a wrong way but there's a valid reason behind this decision that why Symantec does not detect autorun.inf.
The answer is pretty simple and logical "It's a feature of MS windows OS which is abused by malcious code and the AV "should not" just go on and remove a feature of the OS as this feature is also used by 'many' other software vendors.Secondly, Autorun.inf is just an information file and usually contains the instructions (when maliciously used) to execute the "original" malicious code/file.Autorun.inf alone can't do anything even if the instructions are in it if the main file is detected and clean..Period.But there're many other arguments, one of them is one can't open the drive [untill shell (explorer.exe) is refreshed or the system is rebooted] if the main file [malicious executable] is deleted and autorun.inf is still present in the drive present.The simple resolution is disable the feature.
However, ‘auto play’ still remained a feature of windows and there was no official fix/patch available from the OS vendor .But now there's a good news from Microsoft.
After successful installation of the update the update auto run feature would not be available for "removable medias" but with an exception to CD/DVD.
Here is the announcement from MS
"After you install this update, users will no longer see this dialog box. Users must browse to the setup executable that is found on the USB flash drive to start the "Copy Network Settings" process. This update disables Auto Run entries in AutoPlay, and displays only entries that are populated from CD and DVD drives. Effectively, this prevents AutoPlay from working with USB media."
Anyways, it's a good step by MS to prevent the auto play feature abuse which would surely help preventing malware up to 'some extent' as the usage of flash drives/external hard drive /CF cards are more in use than 'writeable' CD/DVD in current scenario.