USB Worms

January 7, 2009 – 6:55 PM

USB worms work by creating a file called AUTORUN.INF on the root of USB drives. These INF files then use Autorun or Autoplay to execute themselves either when the stick is inserted, or more commonly, when the user double-clicks on the USB drive icon from My Computer. Such malicious AUTORUN.INF files are easy to spot. But Downadup does not create files such as this. What it drops on USB drives are AUTORUN.INF files that look like this:

(click to enlarge)

Downadup Autorun

The noteworthy text is found somewhere around the middle of this 90kB file. At the bottom of the screenshot. See it?

Open=RUNDLL32.EXE .\RECYCLER\jwgvsq.vmx

…which would execute a DLL called jwgvsq.vmx from a hidden folder on the USB drive.


  1. One Response to “USB Worms”

  2. Here’s a list of domains that are distributing Downadup:

    By manunkind on Jan 9, 2009

You must be logged in to post a comment.