2 Replies Latest reply on Sep 15, 2009 9:36 AM by gitrdonegreg

    autorun.inf's and LDAV

    Rookie

      Recently I've been seeing malicious autorun.inf files pop up in our environment, mostly on file servers. LDAV is successfully quarantining the malicious .exe the .inf file is referencing, but the .inf file is not getting flagged and removed by LDAV. Although the threat is basically gone, the bad autorun files are throwing errors when drives are mapped, folders opened, etc. since the .exe being referenced is no longer there. Is there any way to detect and remove these bad autorun.inf files? Distinguish them from good autorun.inf files without manually opening each one? Should LDAV be doing this already?

       

      Example of file

       

      [auTORUN]
      action=Open folder to view files
      shElleXEcUte=UJR0497.Exe
      icoN=SYsteMrOOt%\sysTem32\ShELl32.DlL,4
      USEaUTOPLAy=1

       

      where ujr0497.exe was flagged and successfully quarantined