Autorun.inf virus

  • Thread starter Thread starter Sid Elbow
  • Start date Start date
S

Sid Elbow

My virus Scanner AVG has just reported a virus in a file that's been
siting in a backup directory on my system for just about a year without
being previously flagged (I guess yesterday's update got it).

What surprised me was that the file reported is an application's
autorun.inf which is a text file. When I opened the file in wordpad I
saw this

[AutoRun]
open=RavMon.exe
shell\open=´ò¿ª(&O)
shell\open\Command=RavMon.exe
shell\explore=×ÊÔ´¹ÜÀíÆ÷(&X)
shell\explore\Command="RavMon.exe -e"

(I hope the strange characters in the 3rd and 5th lines show up).

Is it possible that this could act as a virus/malware?
 
From: "Sid Elbow" <[email protected]>

| My virus Scanner AVG has just reported a virus in a file that's been
| siting in a backup directory on my system for just about a year without
| being previously flagged (I guess yesterday's update got it).
|
| What surprised me was that the file reported is an application's
| autorun.inf which is a text file. When I opened the file in wordpad I
| saw this
|
| [AutoRun]
| open=RavMon.exe
| shell\open=´ò¿ª(&O)
| shell\open\Command=RavMon.exe
| shell\explore=×ÊÔ´¹ÜÀíÆ÷(&X)
| shell\explore\Command="RavMon.exe -e"
|
| (I hope the strange characters in the 3rd and 5th lines show up).
|
| Is it possible that this could act as a virus/malware?

Yes it is possible it is a Trojan but not a virus.

Is there a RavMon.exe on the PC ?

If yes...
Please submit a sample to Virus Total --
http://www.virustotal.com/flash/index_en.html
The submission will then be tested against many different AV vendor's scanners.
That will give you an idea what it is and who recognizes it. In addition, unless told
otherwise, Virus Total will provide the sample to all participating vendors.

You can also submit a suspect, one at a time, via the following email URL...
mailto:[email protected]?subject=SCAN

When you get the report, please post back the exact results.
 
David said:
From: "Sid Elbow" <[email protected]>

| My virus Scanner AVG has just reported a virus in a file that's been
| siting in a backup directory on my system for just about a year without
| being previously flagged (I guess yesterday's update got it).
|
| What surprised me was that the file reported is an application's
| autorun.inf which is a text file. When I opened the file in wordpad I
| saw this
|
| [AutoRun]
| open=RavMon.exe
| shell\open=´ò¿ª(&O)
| shell\open\Command=RavMon.exe
| shell\explore=×ÊÔ´¹ÜÀíÆ÷(&X)
| shell\explore\Command="RavMon.exe -e"
|
| (I hope the strange characters in the 3rd and 5th lines show up).
|
| Is it possible that this could act as a virus/malware?

Yes it is possible it is a Trojan but not a virus.

Is there a RavMon.exe on the PC ?

No ... however the file is part of a bug-fix that I was sent by the
tech-support for a Far East MP3/MP4 Player about a year ago. It did
scan for a virus or trojan some time ago that was removed which may well
have been the Ravmon file.

Thanks, Dave.

In today's case, it was only the autorun.inf that was flagged which
surprised me. I guess AVG just updated their detection for this malware
to include the autorun.inf and it's now showing up.
 
From: "Sid Elbow" <[email protected]>


|
| No ... however the file is part of a bug-fix that I was sent by the
| tech-support for a Far East MP3/MP4 Player about a year ago. It did
| scan for a virus or trojan some time ago that was removed which may well
| have been the Ravmon file.
|
| Thanks, Dave.
|
| In today's case, it was only the autorun.inf that was flagged which
| surprised me. I guess AVG just updated their detection for this malware
| to include the autorun.inf and it's now showing up.

The INF must be a remanant then and the recent signature update must be generic based upon
recent increases in trojans deliberating being installed via the AutoRun capability of
removable media. While the INF file isn't malicious in itself, it is a component of the
Trojans's infection vector.
 
Back
Top