Jan
21
The Downadup bastard utilizes autorun.inf files to advance via disposable accessories such as USB drives.
Our January 7th post, When is AUTORUN.INF absolutely an AUTORUN.INF?, provided analysis. The autorun.inf uses some tricks, such as capricious size, to advice abstain detection.
Bojan Zdrnja at SANS Internet Storm Center afresh acquaint some added analysis: Downadup attempts a amusing engineering ambush in Windows Vista.
Downadup's autorun.inf book uses an activity keyword and figure extracted from shell32.dll to aftermath the following:
The class is "Install or run program" but the argument and figure are for "Open binder to appearance files".
The aboriginal advantage will run Downadup, not good. The additional "general" advantage is the best that will cautiously accessible the USB drive.
Being curious, we approved this autorun.inf with Windows 7:
And the results for Windows 7 were the same as Vista's:
Downadup attempts to beard the accession advantage as an accessible binder action.
We would advance Windows 7's "Send Feedback" link, but the lab's Windows 7 arrangement is not affiliated to the Internet. It's actuality acclimated to analysis our Client Security 8 application. Client Security 8 (Internet Security 2009, and some added contempo releases) can generically ascertain Downadup's autorun book as Worm:W32/Downaduprun.A.
Our January 7th post, When is AUTORUN.INF absolutely an AUTORUN.INF?, provided analysis. The autorun.inf uses some tricks, such as capricious size, to advice abstain detection.
Bojan Zdrnja at SANS Internet Storm Center afresh acquaint some added analysis: Downadup attempts a amusing engineering ambush in Windows Vista.
Downadup's autorun.inf book uses an activity keyword and figure extracted from shell32.dll to aftermath the following:
The class is "Install or run program" but the argument and figure are for "Open binder to appearance files".
The aboriginal advantage will run Downadup, not good. The additional "general" advantage is the best that will cautiously accessible the USB drive.
Being curious, we approved this autorun.inf with Windows 7:
And the results for Windows 7 were the same as Vista's:
Downadup attempts to beard the accession advantage as an accessible binder action.
We would advance Windows 7's "Send Feedback" link, but the lab's Windows 7 arrangement is not affiliated to the Internet. It's actuality acclimated to analysis our Client Security 8 application. Client Security 8 (Internet Security 2009, and some added contempo releases) can generically ascertain Downadup's autorun book as Worm:W32/Downaduprun.A.
Posts
