search cancel

Prevent viruses from using AutoRun to spread

book

Article ID: 151485

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

It appears that a virus is using the AutoRun feature in Windows to spread itself. Whenever a USB drive is inserted or other computers connect to the network a file called "autorun.inf" appears at the root of the new drive and the installed antivirus product detects a threat.

Cause

Windows uses the autorun.inf file to:

  • Identify which file to run when new media is inserted, or
  • Identify which options to present in an AutoPlay dialog
     

Viruses and other malware will attempt to use this feature to infect new computers when devices or media (like a USB drive) are moved between computers.

Note: The "autorun.inf" file in and of itself, is not malicious. It is simply a text file.

Resolution

Note:  To check if the computer in question is configured according to this best practice, download and run a 'scan for common issues' in SymDiag.

The autorun.inf file when viewed in a text editor typically contains lines similar to the following:

[AutoRun]
open=<filename.exe>

If you suspect that an infection is using AutoRun but the file <filename.exe> pointed to by autorun.inf is not detected by Symantec Endpoint Protection (SEP), please submit the file to Symantec Security Response using the instructions in the following article:

Even when SEP detects and deletes the <filename.exe> threat, the autorun.inf text file may not always be deleted since both benign and malicious files can use autorun.inf.

To permanently prevent threats from using the AutoRun feature the following options are available:
 

Further information about AutoRun and AutoPlay is also available at the following: