W32/Autorun-NQ is a prime example of astute social engineering. When I ran this malware on my test machine, it presented me with the following display window:
A what? What would an aircraft blackbox analyzer software be doing on a customer’s box? The dead give away that this is a fake is the fact there is no actual option to load a “.blx” file into the program :) This generic blackbox analyzer software supports both Boeing and Airbus flight recorder models. You really have to admire the sense of humor and craftiness of this malware author.
Like every other Autorun worm we see, this one also copies itself to removable storage devices connected to the computer. When the blackbox analyzer window is closed, the worm continues to execute in the background attempting to contact a remote malicious site somewhere in Eastern Europe. The funny thing is that the worm contacts the remote site only after the main window is closed. This is probably another component of the social engineering trick where most people will read “Unauthorized use is prohibited!” and close the program window immediately.