November 27, 2008
Doctor Web reports a significant increase of new viruses spreading on removable data storage devices. Malicious programs created using the AutoIt scripting language with their shrouded code are very hard to analyze.
Automatic launch of the malicious code placed on a removable device has become one of the main causes of infection in recent months. The malicious code is classified by Dr.Web as Win32.HLLW.Autoruner.
The number of the new viruses grows along with the popularity of AutoIt (a freeware automation language for Windows). The language is very easy to learn and provides wide opportunities for virus makers.
The script code of such a virus can also include other malicious binary files with all of them compressed using various packers. When other malware is included in an AutoIt script it makes them very hard to detect by anti-virus software.
Viruses infesting systems from removable devices has become an urgent issue with many companies and governmental institutions restricting usage of removable data storage devices by employees. So the US army suspended use of USB disks and flash drives aiming to contain spread of a worm in its networks. Many companies also adopt special software that restricts usage of removable devices.
“Various executable packers and obfuscated code are typical techniques employed by virus makers. Now they use features of the AutoIt scripting language to which we provide a prompt response. For example the beta-version of the Dr.Web anti-virus 5.0 currently in public testing features recompilation of AutoI tmalware that allows analyzing malicious scripts and unpacking executables included in AutoIt worms”, Vladimir Martyanov, the virus analyst of Doctor Web remarked.
Doctor Web recommends all Windows users to disable the autorun of removable data storage devices (USB Flash Drive, CD/DVD, removable hard drives) and reduce the risk of infection. Besides, files placed on a device should be checked using an anti-virus with the latest virus definitions before you launch or open any of the files.
Tell us what you think
To ask Doctor Web’s site administration about a news item, enter @admin at the beginning of your comment. If your question is for the author of one of the comments, put @ before their names.