Worm:W32/Downaduprun.A is Generic Detection of the malicious autorun files created by Worm:W32/Downadup, which exploit the Windows Autorun functionality to spread the worm.
Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.
Typical Autorun.inf files are very small in size. The Downadup worm inflates the size of its autorun.inf in an attempt to avoid detection by antivirus signature scanners. Binary characters are used to inflate the file size. These binary characters are ignored by the Windows operating system.
On execution of the file, Windows runs the bloated file and finds the following command buried in the garbage text:
- Open=RUNDLL32.EXE .\RECYCLER\jwgvsq.vmx
This command executes a DLL called jwgvsq.vmx from a hidden folder on the removable drive containing the malicious autorun.inf.
This malware is discussed in the following Labs Weblog post:
About Generic Detections
Unlike more traditional detections (also known as signatures or single-file detections) a Generic Detection does not identify a unique or individual malicious program. Instead, a Generic Detection looks for broadly applicable code or behavior characteristics that indicate a file as potentially malicious, so that a single Generic Detection can efficiently identify dozens, or even hundreds of malware.
For more information about Generic Detections, see the Generic Detection description.