UPDATE: 20 Jan 10.00 GMT. See Below.
SophosLabs received a new sample associated with the Conficker worm (1, 2) today. We first saw an
Autorun.inf associated with Conficker earlier this month (W32/Confick-D). The
Autorun.inf allows Conficker to spread by USB devices and remote drives (advice on how to combat USB-aware malware is here).
As has been mentioned on the F-Secure blog (they call it Downadup), Conficker’s
Autorun.inf files look like random binary garbage. However, when you look closer the files are valid.
After removing the ‘garbage’ the
Autorun.inf for W32/Confick-D looked like this:
Today’s sample however was slightly different. Instead of the ‘Open folder…’ action, this time it was in German.
This wasn’t surprising as the sample came from Germany. However, it is the first time we have seen an
Autorun.inf being generated dynamically in this manner by malware. W32/Confick-D has been updated.
Based on further analysis of this threat over the weekend SophosLabs released Mal/ConfInf-A last night.