A new worm targeting removable drives, called the SillyFD-AA worm, searches for removable drives such as floppy disks and USB memory sticks and creates a hidden autorun.inf file which makes the worm execute the next time the device is connected to a computer running Windows. In addition, it changes the title of Internet Explorer windows to say that the computer has been “Hacked by 1BYTE.” The threat of this particular worm is limited, partly because up-to-date desktop anti-virus software should be capable of intercepting the virus when it tries to run.
Graham Cluley, senior technology consultant at Sophos, said the worm has not been widely distributed, and that researchers were warning the public because of the potential danger. It would be easy, he continued, to add to the worm the ability to transmit through other routes, such as e-mail and instant messaging. “This type of attack is perhaps understandable as so many businesses these days do have e-mail gateway protection in place…they can scan files coming into their company via e-mail attachments, but can’t check the files coming in attached to the keychain in peoples’ pockets,” said Cluley.
Sophos’ security experts advise users to disable the autorun facility of Windows so removable devices do not automatically launch when they are attached to a computer. Any storage device that is attached to a computer should be checked for virus and other malware before use, Sophos officials said. “Companies may also consider installing software which locks down and controls access to external drives such as USB sticks. In some firms this may make sense not just because of the malware threat, but also the problem of employees stealing sensitive or confidential information out of a company on their USB drive,” said Cluley.