![]() Client Security 8 (Internet Security 2009, and some other recent releases) can generically detect Downadup's autorun file as Worm:W32/Downaduprun.A. It's being used to test our Client Security 8 application. We would utilize Windows 7's "Send Feedback" link, but the lab's Windows 7 system is not connected to the Internet. The second "general" option is the choice that will safely open the USB drive.īeing curious, we tried this autorun.inf with Windows 7:Īnd the results for Windows 7 were the same as Vista's:ĭownadup attempts to disguise the installation option as an open folder action. The first option will run Downadup, not good. The category is " Install or run program" but the text and icon are for " Open folder to view files". The autorun.inf uses some tricks, such as variable size, to help avoid detection.īojan Zdrnja at SANS Internet Storm Center recently posted some additional analysis: Downadup attempts a social engineering trick in Windows Vista.ĭownadup's autorun.inf file uses an action keyword and icon extracted from shell32.dll to produce the following: ![]() Our January 7th post, When is AUTORUN.INF really an AUTORUN.INF?, provided analysis. ![]() But there is still some auto play dialog popping up, when a USB stick is plugged in. The Downadup worm utilizes autorun.inf files to spread via removable devices such as USB drives. As far as I know, the autorun.inf problem (the possibility of automatically executing code when a USB stick is plugged in) was solved through Windows Updates for XP, and on 7 it is no longer possible at all. Social Engineering Autoplay and Windows 7
0 Comments
Leave a Reply. |