A new variant of Autorun worm, called Autorun:Worm-LNK is able to spread through USB removable storage devices by using LNK vulnerability. After the system has been infected, this malware is able to drop itself to every plugged USB removable storage device using a number of LNK exploits files and its executable files.
This variant of Autorun worm is actually spreading very quickly, given that users running Windows 2000, Windows XP, Windows XP Service Pack 1 and Windows XP Service Pack 2 won't receive any security update from Microsoft because their support ended. The only way to fix this problem at the moment is to run the fixit tool on these systems, and wait till Microsoft releases a proper update for Windows Vista and Windows 7 to address this Vulnerability.
This vulnerability is due to the failure of Microsoft Windows to properly
obtain icons for .LNK files. Microsoft uses .LNK files, commonly
referred to as "shortcuts," as references to files or applications.
By convincing a user to display a specially crafted .LNK file, an
attacker may be able to execute arbitrary code that would give the
attacker the privileges of the user. Viewing the location of an .LNK
file with Windows Explorer is sufficient to trigger the vulnerability.
By default, Microsoft Windows has AutoRun/AutoPlay features enabled.
These features can cause Windows to automatically open Windows
Explorer when a removable drive is connected, thus opening the
location of the .LNK and triggering the vulnerability. Other
applications that display file icons can be used as an attack vector
for this vulnerability as well. Depending on the operating system and
AutoRun/AutoPlay configuration, exploitation can occur without any
interaction from the user. This vulnerability can also be exploited
remotely through a malicious website, or through a malicious file or
WebDAV share.
EditAffected Operating Systems
Windows XP Service Pack 3
Windows XP Professional x64 Edition Service Pack 2
Windows Server 2003 Service Pack 2
Windows Server 2003 x64 Edition Service Pack 2
Windows Server 2003 with SP2 for Itanium-based Systems
Windows Vista Service Pack 1 and Windows Vista Service Pack 2
Windows Vista x64 Edition Service Pack 1 and Windows Vista x64 Edition Service Pack 2
Windows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2
Windows Server 2008 for x64-based Systems and Windows Server 2008 for x64-based Systems Service Pack 2
Windows Server 2008 for Itanium-based Systems and Windows Server 2008 for Itanium-based Systems Service Pack 2
Windows 7 for 32-bit Systems
Windows 7 for x64-based Systems
Windows Server 2008 R2 for x64-based Systems
Windows Server 2008 R2 for Itanium-based Systems
EditSolution
The best workaround at the moment is disabling the displaying of icons for LNK and PIF shortcuts, as reported by Microsoft on their security advisor. Microsoft released a Fix It tool able to automatically apply this workaround until the company releases an official patch, it can be found at
Microsoft Knowledge Base Article 2286198 NOTE: Applying the fixit will remove the graphical representation of icons on the Task bar and Start menu bar and replace them with white icons without the graphical representation of the icon.