MAL_OTORUN1 This is the Trend Micro...

MAL_OTORUN1

Virus type: Others

Aliases: Trojan.Win32.AutoHK.l (Kaspersky), Generic.dx (McAfee), W32.Ceted (Symantec), DR/AutoHK.C (Avira), W32/Autorun-BH (Sophos),

Pattern file needed: 5.357.00

Scan engine needed: 8.700

Overall risk rating:

Low

Description :

This is the Trend Micro detection for suspicious files that manifest behavior and characteristics similar to WORM_AUTORUN variants. Files detected usually drop a copy of itself and AUTORUN.INF file on physical and removable drives for its propagation and autostart technique.\par

Since these files commonly arrive and propagate via removable drives, it is important to protect your system by first protecting your removable drive. Below are a number of options that help prevent malware from affecting or starting in your removable drive.

Create a folder named AUTORUN.INF that is set to certain attributes to prevent malware from creating its own AUTORUN.INF, as most WORM_AUTORUN variants drops or overwrites a copy of the existing AUTORUN.INF. To do this, you may follow the steps listed here.
Enable the write-protect switch on a removable drive to allow read-only access to the removable drive. This switch is available on some removable drives. Enabling the switch prevents malware from being saved on your removable drive.\par
Scan your removable drive with an antivirus application before opening the drive. You can use online tools such as the Trend Micro HouseCall to scan removable drives.

Files using the AUTORUN.INF file, in part, rely on the autorun or autoplay feature in Windows. This feature enables removable media such as CDs and removable drives to start automatically upon insertion or connection to the system. The following option helps prevent the spread of malware on the system.

Modify registry entry to disable the autorun feature. A specific registry entry is related to the autorun feature of Windows systems. To learn how to modify this registry entry, please click here.

If your Trend Micro product detects a file under this detection name, do not execute the file. Delete it immediately especially if it came from an untrusted or an unknown source (e.g., a Web site of doubtful nature). However, if you have reason to believe that the detected file is non-malicious, you can submit a sample for analysis. Detailed analysis will be done on submitted samples, and corresponding removal instructions will be provided, if necessary.

To submit files, please refer to the Solution section.

Solution :

Creating an AUTORUN.INF Folder and Disabling Autorun Feature in Windows

This procedure enumerates the steps to create a batch (.BAT) file that creates an AUTORUN.INF folder and disables the autorun feature in Windows.

Open Notepad. Click Start>Run, type NOTEPAD, then press Enter.
Copy and paste the following text in Notepad:
<@echo off :: SET_NO_DRIVE_OTORUN reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoDriveTypeAutoRun /t REG_DWORD /d 0x0ff /f :: GET_DRIVES for /f "tokens=1 delims=:" %%j in ('reg query hklm\system\mounteddevices ^| findstr \DosDevices\') do ( echo %%j >> drives ) :: REMOVE_\DosDevices\_PREFIX for /f "tokens=3 delims=\" %%j in (drives) do ( echo %%j >> drives.txt ) del /q /f drives > nul :: REMOVE_SPACE for /f "tokens=1 delims= " %%j in (drives.txt) do ( echo %%j: >> drives ) del /q /f drives.txt > nul :: CHECK_DRIVE_TYPE for /f %%j in (drives) do ( fsutil fsinfo drivetype %%j | findstr "Fixed " >> fdtype fsutil fsinfo drivetype %%j | findstr "Removable " >> frtype ) del /q /f drives > nul :: GET_FDRIVES for /f "tokens=1* delims= " %%j in (fdtype frtype) do ( echo %%j >> dtype ) del /q /f fdtype > nul del /q /f frtype > nul :: REMOVE_SPACE1 for /f "tokens=1 delims= " %%j in (dtype) do ( echo %%j >> drives ) del /q /f dtype > nul :: DEL_DRIVE_A_FROM_LIST sort drives >> sort type sort | findstr "A" > nul if errorlevel 0 for /f "tokens=1 skip=1" %%j in (sort) do ( echo %%j >> sorted ) del /q /f drives > nul del /q /f sort > nul :: CREATE_OTORUN_FOLDER for /f %%j in (sorted) do ( md %%j\<i>AUTORUN.INF</i> attrib +s +h +r /d /s %%j\<i>AUTORUN.INF</i> ) del /q /f sorted > nul echo Press any key to close this window.. pause > nul>
Save the created file on your Desktop as the file DISABLE.BAT.
Locate the file on your desktop. Once located, double-click on the file.

Note: If your Trend Micro product detects a file under this detection name, do not execute the file, or delete it immediately especially if it came from an untrusted or an unknown source (e.g., a Web site of doubtful nature). However, if you have reason to believe that the detected file is non-malicious, you can submit a sample for analysis. Detailed analysis will be done on submitted samples, and corresponding removal instructions will be provided, if necessary.

Submitting Samples

Sample files for submission must be in ZIP format and should be password-protected. To submit a ZIP file, file compression software such as Winzip must be used. A trial version of Winzip is available at www.winzip.com.

To compress a file, please follow the steps below:

Right-click on the file and select Add to Zip.
Enter a file name for the zip file.
On the Options menu, choose Encrpyt. In the input box, type virus. This serves as the password for the zip file.
Send the sample through the following channels:
• For Trend Micro Premium customers, please submit a virus support case by clicking here:
https://premium.trendmicro.com/premiumsupport/en/US/PSP/logon/logon.asp
• For Trend Micro non-Premium customers, please contact your local support network here:
http://www.trendmicro.com/en/about/contact/overview.htm
• For non-Trend Micro customers, please submit a virus support case by clicking here:
http://subwiz.trendmicro.com/SubWiz/Default.asp

Trend Micro offers best-of-breed antivirus and content-security solutions for your corporate network or home PC.

For additional information about this threat, see Technical Details.