There is a big hike in the volume of autorun malware hitting some countries because of some new worms infecting older machines, researchers said.
The autorun issue became a moot point a few years ago when Microsoft made a change to newer versions of Windows that disables the autorun functionality, but there are still a lot of older Windows XP systems out there still chugging along that still have the function enabled. Autorun worms jump directly from removable media such as USB drives as soon as they are connected to a PC can cause some major trouble, spreading quickly through a network.
Researchers at Kaspersky Lab said the volume of autorun worms has remained relatively constant over the last few months, but there was a major spike in those numbers in April and May, thanks to the distribution of the two new pieces of malware.
“These two worms have three key features in common: Heavy obfuscation, backdoor-type essential payloads, and similar methods of propagation. Both worms spread by copying themselves and the configuration file autorun.inf into the root folders of logical volumes of removable storage media and network disks,” Konstantin Markov of Kaspersky Lab wrote on securelist. “If these infected storages are opened on other computers, the infection can spread. Having infected the operating system and established a foothold on the victim computer, the malicious programs deploy their principal payload.”
The Java-based worm only spreads through the autorun functionality and comprises four individual components, each with different jobs. Once the worm is on a new PC, it extracts a DLL from its code and then copies itself to the temporary user folder. It also copies the Java executable from %ProgramFiles% to the same folder. The worm then spawns a process and injects a library into it that enables it to spread to available network shares.
Both worms are mainly spreading in Southeast Asia right now.