Renamed Notepad.exe Plagues Removable Drives

During the last couple of years we have seen malware authors increasingly incorporate the autorun.inf infection vector into malware families–with stunning success. In addition to traditional autorun worms that use this feature, pure-play backdoors, bots, password stealers, and even parasitic viruses that previously required a user to click on an executable file to infect the system have incorporated this technique. While the autorun functionality in operating systems does provide some convenience (it saves a couple of clicks), it has single-handedly revived the 1980s model of hand-carried malware propagation.

Two prolific parasitic virus families that have incorporated this infection vector are W32/Sality and W32/Virut. When a removable drive is inserted into an infected machine, the W32/Sality virus infects Microsoft Notepad or Minesweeper and copies it onto the removable drive. The infected notepad.exe or winmine.exe file is renamed with a random .pif or .scr extension and is accompanied with an obfuscated autorun.inf. Below you’ll see a code snippet and the accompanying autorun.inf file.

Even if the removable drive is cleaned of the virus infection, the random namely Microsoft executable would still exist on the drive. Although benign, the leftover remnants would cause some degree of confusion about the origin of the file. Especially since it’s a renamed Microsoft file with a .pif or .scr extension!

The W32/Virut virus is also known to copy infected notepad.exe files to removable drives. Both these virus families are a royal pain in the posterior to clean. This technique provides a resourceful way for them to reinfect hosts even after cleanup.