Autorun worms spread from USB/thumb drives as well as fixed and mapped drives. Autorun worms typically drop or download additional malware, usually backdoors and password stealers. For a description of how Autorun malware works, see the Autorun FAQs. To remove an Autorn worm, follow the steps below.
Difficulty: Average
Time Required: Varies depending on extent of infection
Here's How:
- Before attempting removal of an autorun worm, you must first disable Autorun. See: How to Disable Autorun in Windows XP or How to Disable Autorun in Vista.
- After you have disabled autorun, search the root of all drives (including all USB/thumb drives) for the presence of an autorun.inf file. When you have located the autorun.inf file, open it using a text editor such as Notepad and look for any lines that begin with Label=" and "shellexecute=". Note the name of the file designated by these lines.
- Close the autorun.inf file and delete it from the drive. Now locate the file that was designated in Step 2 and delete that file as well.
- Repeat these steps for all local, mapped, and removable drives.
- Note that if an autorun worm is discovered, you should anticipate other infections have occurred and also that your antivirus/firewall/security software may have been disabled and/or tampered with. Ensure the antivirus is working properly by using an Eicar test file.
- If you are unable to delete the malware files, or they reappear after deleting, use a bootable antivirus rescue CD to access the drive without allowing the malware to load first. You should then be able to delete the target files.
