Autorun.inf Virus

Discussion in 'ESET NOD32 Antivirus' started by epdom, Apr 23, 2008.

Thread Status:
Not open for further replies.
  1. epdom

    epdom Registered Member

    Joined:
    Oct 12, 2007
    Posts:
    8
    Hello everyone

    I am running Vista Ultimate (SP1) and Nod32 (V.642). I regularly use a memory stick as ReadyBoost cache. Vista allocates 860 Kb of the available space (1 Gb) as cache memory, and the rest is available for storage.

    Today I saved a small Word Document in it, to be printed at a local store, which handles this type of things, as the cartridges in my personal printer need to be replaced and will not print.

    After getting the print done, I returned to the house and connected the memory stick as always and much to my surprise I got and instant warning from Nod telling me that Autorun.inf in removable drive F: was a virus.

    Cleaned the offending file, unpluged the stick and reconected it again, this time without any warnings.

    I could reproduce the same event by taking the document back to the store to be accesed and closing it. No printing the second time. They were on XP SP2 and also running Nod32 (V.2.7)

    I think this may be a false positive but have no idea where the Autorun.inf was created.

    Anyone seeing this before?

    Regards
     

    Attached Files:

  2. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    U got it from local store. I suspect still ur USB stick in infected, the exe might still be there, even hidden.

    Run another good scanner to confirm. Try Dr.Web Cureit.
     
  3. proactivelover

    proactivelover Registered Member

    Joined:
    Apr 7, 2006
    Posts:
    840
    Location:
    Near Wilders Forums
    there nod32 v2.7 is not uptodate
    this virus is spreading very fast
    pls tell store keeper to update there nod32
     
  4. SmackyTheFrog

    SmackyTheFrog Registered Member

    Joined:
    Nov 5, 2007
    Posts:
    767
    Location:
    Lansing, Michigan
    autorun.inf is a batch file on removable media that most operating systems will try to run by default. The other computer you put the flash drive on has some kind of virus on it that is automatically adding/modifying the autorun file on your flash drive so that it either contains a malicious script or trying to launch a malicious file/webpage that could have also been copied in the process.
     
  5. viruscraft

    viruscraft Registered Member

    Joined:
    Sep 22, 2007
    Posts:
    114
    It mostly beacuse their V2.7 is not up to date.

    autorun.inf is just a part of the antorun virus,there may still a exe file left.

    You need to delete it manually if NOD can not detect.
     
    Last edited: Apr 24, 2008
  6. bledd

    bledd Registered Member

    Joined:
    Sep 22, 2007
    Posts:
    60
    open the inf to see what it's pointing at, likely to be an exe on the stick, like the adober.exe virus
     
  7. epdom

    epdom Registered Member

    Joined:
    Oct 12, 2007
    Posts:
    8
    I went back to the store and they had their Internet restored and surely Nod updated itself and found some virus in their machine. But as most people do, they did not pay attention to whatever message was presented by the program, clicked OK and merryly carried on.

    They have no idea of what virus was it that infected their PC, and feel satisfied with the cleaning done by the AV. If changes were made to the system files, registry, or whatever they dont seem too much concerned.

    Not sure if I want to do business with them in the future.

    INF deleted from quarantine. No way to open it.

    Cheers
    epdom
     
  8. bledd

    bledd Registered Member

    Joined:
    Sep 22, 2007
    Posts:
    60
    you could run recuva on it and restore the inf, disable autorun on that drive first though :) or rename it after restoring, then open in notepad
     
  9. Dogbiscuit

    Dogbiscuit Guest

    How do you hide files on USB sticks?
     
  10. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Not me , the malware. It can be hidden file or marked as protected system file. I have seen this with worms travelling via USB drives.
     
  11. bledd

    bledd Registered Member

    Joined:
    Sep 22, 2007
    Posts:
    60
    arrtib +h

    or right click, properties, tick 'hidden' box, ok
     
  12. mkuntic

    mkuntic Registered Member

    Joined:
    Mar 6, 2008
    Posts:
    54
    Where?
     
Thread Status:
Not open for further replies.