The United States Computer Emergency Readiness Team (US-CERT) issued a warning on Tuesday, and updated it yesterday, regarding the Downadup worm that has infected over 10 million computers so far. They said Microsoft’s original proposed fix does not address all versions of the Windows operating system.
The Downadup worm creates an “autorun.inf” file on every USB drive it finds on a Windows system. The AutoRun feature in Windows will automatically execute the instructions contained within, allowing CDs, USB and other removable media forms the ability to spontaneously start install programs, or programs specific to the media form (such as Encyclopedia CDs which launch their browser).
Microsoft originally advised a registry fix which would disable the AutoRun feature. However, US-CERT said that fix does not work on Windows 2000, XP and 2003 Server. Machines running Vista and Server 2008 will have received an automatic update, as part of the MS08-038 bulletin. The subsequent KB953252 support document describes how to manually install the fix for 2000, XP and Server 2003 users.
US-CERT warned that since Microsoft’s solution only works on those systems which have the KB953252 patch applied, then only those systems which would have automatically received it would be rendered immune to this form of Downadup’s attack. However, all other machines that have not manually applied the patch will still be vulnerable.
US-CERT identifies the problem with Microsoft’s patch as an error in the Windows operating system which does not correctly identify two quantities. The first is the AutoRun feature, the second is the Multimedia Change feature.
Even if AutoRun is disabled, Windows 2000, XP and Server 2003 systems without the patch will load and execute the Downadup code. However, disabling the Multimedia Change feature, US-CERT’s proposed solution, always works.
Microsoft contacted the US-CERT website and offered a direct link to KB953252 for those interested in manually applying the fix so that all versions of the Windows operating system will work correctly if disabling the AutoRun feature.
The article is available here and US-CERT’s Technical Cyber Security Alert TA09-020A bulletin.