Media storage

Network administrators are very restrictive when it comes to using thumb drives. The primary reason is that external storage devices, such as USB thumb drives, CDs, DVDs, external hard drives, and even smartphones are all media in which malware can store itself. Once a storage device gets mounted to a computer, it serves like a regular drive. Malware can simply drop copies of itself to these storage drives. Similar to network worms, these are worms that depend on the user to run the malware. But with the Windows Autorun feature turned on, malware may execute once the drive is mounted, as can be seen in the following screenshot:

The previous image is the default dialog encountered when inserting a CD drive containing setup software.

The autorun.inf file in the root of a drive contains information on which file to automatically execute. This is used by software installers stored in CDs so that, when the disk is inserted, it automatically runs the setup program. This is abused by malware by doing these steps:

1. Dropping a copy of its malware file in removable drives
2. Along  with its dropped copy, it generates an autorun.inf file that points to the dropped executable file, as can be seen in the following example:

The autorun.inf for the VirtualBox setup autoplay dialog shown previously contains the text as shown in the previous screenshot. The open property contains the executable to be run.