Detection Names :	Worm:W32/Downaduprun.A
Category:	Malware
Type:	Worm
Platform:	W32

Worm:W32/Downaduprun.A is Generic Detection of the malicious autorun files created by Worm:W32/Downadup, which exploit the Windows Autorun functionality to spread the worm.

Allow F-Secure Anti-Virus to disinfect the relevant files.

For more general information on disinfection, please see Removal Instructions.

Typical Autorun.inf files are very small in size. The Downadup worm inflates the size of its autorun.inf in an attempt to avoid detection by antivirus signature scanners. Binary characters are used to inflate the file size. These binary characters are ignored by the Windows operating system.

Execution

On execution of the file, Windows runs the bloated file and finds the following command buried in the garbage text:

This command executes a DLL called jwgvsq.vmx from a hidden folder on the removable drive containing the malicious autorun.inf.

Note

This malware is discussed in the following Labs Weblog post:

About Generic Detections

Unlike more traditional detections (also known as signatures or single-file detections) a Generic Detection does not identify a unique or individual malicious program. Instead, a Generic Detection looks for broadly applicable code or behavior characteristics that indicate a file as potentially malicious, so that a single Generic Detection can efficiently identify dozens, or even hundreds of malware.

For more information about Generic Detections, see the Generic Detection description.