Search

All of Symantec All of Symantec Support Viruses & Risks Home & Home Office Small Business Enterprise Partners VERITAS

Question/Issue:
You are infected with a virus that is using the "AutoRun" feature to spread (using file autorun.inf). Please note that the "AutoRun" feature is often referred to as AutoPlay.

Symptoms:

• You can see a file called "autorun.inf" in the root of your drives.
• When a USB drive is inserted, the AntiVirus product detects a threat.
• Machines connected to network drives keep getting threat detection dialogs.

Cause:
The threat that is attacking your system is using the Windows AutoRun feature to spread in your environment.

Solution:

---

Note: The "autorun.inf" file in and of itself, is not malicious. It is just a text file.

If you open it with a text editor you will see a line similar to this:
[AutoRun]
open= <path><filename>.exe

If the file <filename.exe> in the specified path is not detected by Symantec AntiVirus or Symantec Endpoint Protection, please submit the file to Symantec Security Response using the instructions in the following document:

"How to Use the Web Submission Process" at:
http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2007090711312848

---

Disable AutoPlay in your environment using a Group Policy Object (GPO).
Use the following Microsoft article as a reference at:
"Security Watch: Island Hopping: The Infectious Allure of Vendor Swag" at:
http://technet.microsoft.com/en-us/magazine/cc137730.aspx


How to correct "disable Autorun registry key" enforcement in Windows
This Microsoft KB article is an excellent authoritative resource on Autorun
http://support.microsoft.com/kb/967715/


Symantec Endpoint Protection users
If you are using Symantec Endpoint Protection, you can use its features to disable AutoRun functionality. For more information, read "Preventing viruses using "autorun.inf" from spreading with "Application and Device Control" policies in Symantec Endpoint Protection (SEP) 11.x".


Video demonstration of "How to prevent a virus from spreading using the 'AutoRun' feature"
https://forums.symantec.com/syment/blog/article?blog.id=malicious_code&thread.id=222

References:
"Enabling and disabling autorun" at:
http://msdn2.microsoft.com/en-us/library/bb776825.aspx

"Preventing viruses using "autorun.inf" from spreading with "Application and Device Control" policies in Symantec Endpoint Protection (SEP) 11.x" at
http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2008050910464348

Document ID: 2008032111570648
Last Modified: 11/12/2009
Date Created: 03/21/2008
Product(s): Endpoint Protection 11, Endpoint Protection for Windows XP Embedded, Mobile AntiVirus for Windows Mobile, Symantec AntiVirus 10.1, Symantec AntiVirus 10.2, Symantec AntiVirus Corporate Edition 10.0, Symantec AntiVirus Corporate Edition 8.0, Symantec AntiVirus Corporate Edition 9.0, Symantec AntiVirus for Handhelds - Corporate Edition, Symantec AntiVirus for Handhelds - Corporate Edition for wireless devices
Release(s): Endpoint Protection 11 [All Releases], Mobile AntiVirus for Windows Mobile [All Releases], SAV 10.0 [All Releases], SAV 8.0 [All Releases], SAV 9.0 [All Releases], Symantec AntiVirus 10.1 [All Releases], Symantec AntiVirus 10.2 [All releases], Symantec AntiVirus for Handhelds [All Releases]

Site Index · Legal Notices · Privacy Policy · · Contact Us · Global Sites · License Agreements