Microsoft security software detects and removes this threat.

This family of worms spreads by copying itself to the mapped drives of an infected PC, including network or removable drives.

What to do now

The following Microsoft security software detects and removes this threat: 

Even if we've already detected and removed this particular threat, running a full scan might find other malware that is hiding on your PC

Recovering from recurring infections on a network

You might need to take the following steps to completely remove this threat from an infected network, and to stop recurring infections from network-spreading malware:

  1. Ensure that an antivirus product is installed on all computers connected to the network that can access or host shares.
  2. Ensure that all available network shares are scanned with an up-to-date antivirus product.
  3. Restrict permissions as appropriate for network shares on your network. See Use Access Control to restrict who can use files for more information.
  4. Remove any unnecessary network shares or mapped drives.

You might also need to temporarily change the permission on network shares to read-only until the disinfection process is complete.

Threat behavior

Spreads via…

Mapped drives

When the worm runs on your computer, it enumerates all drives of your PC until a mapped drive is found. The worm tries to copy itself to the mapped drive. Worm:Win32/Autorun then writes an autorun configuration file named 'autorun.inf' pointing to the worm executable.

When the removable or networked drive is accessed from a computer supporting the Autorun feature, the malware is launched automatically.


Alerts from your security software may be the only symptom.


Disable Autorun

This threat tries to use the Windows Autorun function to spread via removable drives, like USB flash drives. You can disable Autorun to prevent worms from spreading:

Take these steps to help prevent infection on your computer.

Alert level: Severe
First detected by definition:
Latest detected by definition: 1.179.1550.0 and higher
First detected on: Oct 07, 2008
This entry was first published on: Feb 04, 2011
This entry was updated on: Oct 10, 2013

This threat is also detected as:
No known aliases