Windows autorun trojan tops November malware chart

According to the IT security vendor, by default, every removable storage device features an autorun.ini script that instructs the computer which file to execute when the device is plugged in.

Malware authors,  BitDefender said, are now tampering with these files to make it launch various malware applications such as trojans when portable devices such as USB sticks are plugged in.

Second slot in BitDefender's malware charts is taken by the trojan Trojan.Clicker.CM, which has ridden high for some time.

This malware is typically found on websites hosting illegal applications such as cracks, key generators and serial numbers for popular commercial software applications.

The trojan is mostly used to force advertisements inside the users' browser in order to boost their advertisement revenue.

Ranking third this month was the worm Win32.Worm.Downadup.Gen, which relies on the Windows server service RPC (remote procedure call) handling remote code execution vulnerability (MS08-67) in order to spread on other computers in the local network.

Downadup - a variant of Conficker - restricts users' access to Windows Update and security vendors web pages. Newer variants of the worm also install rogue anti-virus applications.

Fourth place is taken by the trojan Trojan.Wimad, a piece of malicious code which BitDefender said exploits the capability of ASF files to automatically download the appropriate codec from a remote location, in order to deploy infected binary files on the host system.

In firth place, meanwhile, comes Exploit.PDF-JS.Gen, a generic detection for specially crafted PDF files which exploit different vulnerabilities found in Adobe PDF Reader's Javascript engine.

Once inserted, the exploit executes malicious code on a user's computer. And upon opening an infected PDF file, a specially crafted Javascript code triggers the download of malicious binaries from remote locations.

Ranking sixth is Win32.Sality.OG, a polymorphic file infector that appends its encrypted code to executable files - in order to hide its presence on the infected machine, the executable deploys a rootkit and attempts to kill anti-virus applications installed locally.

Seventh place goes to Trojan.Autorun.AET, a malicious trojan code spreading via the Windows shared folders, as well as through removable storage devices.

The trojan is reported to exploit the autorun feature implemented in Windows for automatically launching applications when an infected storage device is plugged in.

Worm.Autorun.VHG, in eighth place, is an internet / network worm that exploits the Windows MS08-067 vulnerability in order to execute itself remotely using a specially crafted RPC package - the same approach used by Conficker / Downadup.

In ninth position, Trojan.Inject.RA is a password-stealing trojan that mostly targets Lineage II computer players. This specific variant has a key logging component that intercepts users' keystrokes and sends them to a remote attacker via HTTP or SMTP protocols.

Last, but not least in BitDefender's November charts, is the trojan Trojan.Downloader.Bredolab.AZ, which comes disguised as a Microsoft Word document.

Bitdefender said that the trojan is notable for dropping a DLL file and registering it as a Browser Helper Object. The torjan then monitors users' keyboard input via a key logging component and sends the data to a website located in Russia.

What’s hot on Infosecurity Magazine?