AutoRun worms got “smarter”
Over time, users have become more careful when handling removable, external drives and devices such as iPods and other MP3 players, flash drives, USB sticks, digital cameras and frames, and others.
When it comes to removable drives, the biggest danger used to be the autostart procedure executed by Autorun.inf, but people learned their lesson and learned to disable AutoPlay or delete the malware in the device via command prompt then choosing the “Explore” option when they right-click on the drive.
But, malware authors aren’t easily deterred from finding ways to infect your computer, and they decided to use autorun.inf‘s Action Key to make this happen. Action Key is one of the file’s parameters, and it defines the text that appears in the AutoPlay dialog:
Options such as “Open folder to view files” or “Open folder to view files using Windows Explorer” that appear in the menu become triggers that make the malware execute each time the drive is open via Windows Explorer – as you can see in the AutoRun code of the worm: