Telltale Signs

Can you spot what’s wrong with the picture above?

That’s right. The application title has been renamed to “Internet Exploiter” (pity the malware author renamed “Internet Explorer” as such, I prefer the phrase “Internet Exploder” actually *grin*)

This little effect was the result of a computer infected with an autorun worm, in particular, W32/AutoRun-AVH.

Besides setting the run keys in the registry, W32/AutoRun-AVH does something sneaky as well.

Have look at the Startup folder in the Windows menu below.

It reads “Empty” right? Well, no. The folder is actually not empty at all. What the worm has done is something quite sneaky. It creates a shorcut link file to the worm, moves it to the Startup folder and proceeds to call it (Empty).lnk! In this way, infected users would not realise that something is amiss.

However a quick reveal of the properties in the startup folder would show the properties of the shortcut link file quite clearly (see below).

Malware authors are constantly finding new ways to subvert their activities (although this worm didn’t do too well in terms of hiding its presence) and hide their nefarious malware. I admit that this one was relatively easy to spot and deduce that something is amiss on this computer.

Infected users may not be so lucky with other malware. There are other more complex malware like rootkits which resort to great lengths towards hiding their malware creations. Their results are not even visible at all and it takes a bit of effort and analysis to actually find and locate them.