The Conflict of Autorun.inf

UPDATE: 20 Jan 10.00 GMT. See Below.

SophosLabs received a new sample associated with the Conficker worm (1, 2) today. We first saw an Autorun.inf associated with Conficker earlier this month (W32/Confick-D). The Autorun.inf allows Conficker to spread by USB devices and remote drives (advice on how to combat USB-aware malware is here).

As has been mentioned on the F-Secure blog (they call it Downadup), Conficker’s Autorun.inf files look like random binary garbage. However, when you look closer the files are valid.

After removing the ‘garbage’ the Autorun.inf for W32/Confick-D looked like this:

Today’s sample however was slightly different. Instead of the ‘Open folder…’ action, this time it was in German.

This wasn’t surprising as the sample came from Germany. However, it is the first time we have seen an Autorun.inf being generated dynamically in this manner by malware. W32/Confick-D has been updated.

Based on further analysis of this threat over the weekend SophosLabs released Mal/ConfInf-A last night.