Security companies are monitoring the rise of a worm generally known as W32/VBNA-X, which has been on the scene for a period of time but now appears to be spreading rapidly, according to a number of security companies, including Symantec, McAfee, Kaspersky and Sophos.
Though the bug is technically a worm, it also performs like a Trojan in some respects, given that it tends to spread via autorun.inf files carried on thumb drives and other removable media while at the same time opening the door to other malware.
"If you thought Microsoft solved the AutoRun problem, you aren't alone," writes Brian Donohue an editor with Kaspersky's ThreatPost blog. "They tried to shut it down after it was famously and cleverly used to spread earlier variants of the Stuxnet worm that targeted the industrial control systems that controlled centrifuges at Iran's Natanz nuclear enrichment facility. However, as we continue to move further and further from that date, and we continue to see the word AutoRun popping up in headlines, it is increasingly becoming one of those network security nuisances that just won't go away."
However, the worm seems to be penetrating systems that are reader unpatched, or capitalizing on social engineering exploits aimed at encouraging users to allow the malware to run and replicate itself.
The worm apparently installs malware in spoofed folders while hiding the legitimate ones. Close examination of the fully extended filenames would reveal the ruse, exposing them as .exe files, but users who were not specifically on guard for this tactic might not notice it.
Additionally, the Sophos Naked Security blog maintains that some variants of the malware disable Windows updates in order to interfere with patches or any other fixes that might block the exploit. Once the system is infected, the malware communicates with command-and-control servers to download additional viruses responsible for data extraction or other criminal acts.
In addition to updating antivirus signatures and enabling onboard behavioral detection functions, the Sophos blog recommends that channel partners and IT administrators disable AutoRun on all Windows systems, configure policies to show file extensions and hidden files, restrict write permissions to file shares wherever possible and block outbound connections to unknown ports and services.
W32/VBNAX also goes by a variety of names, including W32/Autorun.worm.aaeb and W32.ChangeUp.
PUBLISHED NOV. 30, 2012