The AutoRun technology is a Windows operating system feature Microsoft introduced in Windows 95. It allows Windows Explorer to automatically launch programs from inserted storage drives and other media. Its command is rooted into the applications themselves and can't be edited by users, however, they can choose to go through with it or not using another Windows technology, AutoPlay. The autorun.inf text file, used for both the AutoRun and AutoPlay features, is placed in the root directory of a volume or storage drive to launch specific applications, such as installation files. Cybercriminals use this technology to get into user systems using worm type malware. AutoRun malware is the most prevalent in the Asia Pacific. It can infect USBs, hard drives, flash drives, and mapped drives; and is hard to remove. Malware categorized as AutoRun include the following: WORM_SOHANAD, WORM_SILLY, PE_SALITY, WORM_VB, and WORM_DOWNAD (Conficker).

Trend Micro released INF_AUTORUN.A, a Damage Cleanup Template (DCT) package that automatically disables the AUTORUN feature. It is also capable of the following:

  • Delete AUTORUN.INF in root folders
  • Remove right-click context menu associated to AUTORUN.INF files
  • Remove pop-up messages (see image below) when viewing drive folder content using Windows Explorer:

    {Open With dialog box}

Below are the steps in using this DCT package:

  1. Create a temporary folder.
  2. Download INF_AUTORUN.A. Save in the created folder.
  3. Extract the downloaded ZIP file into the created folder.
  4. Double-click on Remove_autorun.exe.
  5. Successful system modifications would show INF_AUTORUN.A detection (see image below):

    {Detection Message window}

  6. To view system modifications, open the generated log report (see image below) under the report folder: