Worms that spread via removable shared drives and USB keys are getting common these days. In fact, it’s fast taking over as one of the predominant ways of infecting a computer instead of the old IRC bot worms.
However, one malware author has apparently upped the ante by displaying a fake message and thanking the end user. The latest variant of this series of worms is W32/AutoRun-HU. Like all other previous incarnations before it, the worm attempts to copy itself onto removable shared drives by actively searching for removable drive types. If such a device is found, the worm creates the autorun.inf (also detected a W32/AutoRun-HU) file on the root drive of that device. This file is designed to run the worm when the drive or USB key is connected to an uninfected computer.
From the analysis of the malware, it is apparent that malware authors have hitched on the idea of using AutoIt scripts to create their malware. Sadly, these script worms are showing no signs of abating any time soon.
As always, users should be careful when sharing removable drives and USB keys – especially if the media is of unknown origin.
After all, prevention is always better than cure.