Trojan:AutoRun-A is a legacy malware family that exploits Windows AutoRun functionality to spread across removable media and network shares. First identified in the mid-2000s, this trojan persists primarily on systems that haven't disabled AutoRun features or remain unpatched against older vulnerabilities. While modern Windows versions have significantly restricted AutoRun capabilities, variants of this threat still circulate in environments with legacy configurations, shared USB drives in industrial settings, or systems running older versions of Windows without current security updates.
This trojan typically arrives via infected USB drives, external hard drives, or mapped network locations. Once executed, it modifies system settings to automatically launch itself whenever new media is inserted or accessed. Beyond self-replication, Trojan:AutoRun-A variants commonly download additional payloads, create backdoors for remote access, or harvest credentials and system information for transmission to command-and-control servers.
Threat Profile
| Attribute | Details |
|---|---|
| Malware Family | Trojan:Win32/AutoRun (multiple variants including A, B, C, etc.) |
| Common Aliases | Worm:AutoRun, VBS/Autorun, Trojan.Autorun, Win32/Autorun.worm |
| Platform | Windows XP/Vista/7 (primarily); some variants affect Windows 8/10 with legacy AutoRun settings enabled |
| First Discovered | 2005-2006 (peak prevalence 2008-2010) |
| Distribution Method | Removable media exploitation (USB drives, external HDDs), network shares, malicious autorun.inf files |
| Persistence Mechanism | Registry Run keys, autorun.inf files on all available drives, scheduled tasks, system service creation (variant-dependent) |
| Primary Capabilities | Self-replication to removable media, backdoor installation, payload downloading, system information theft, disabling security software |
| Typical File Size | 15-250 KB (the dropper itself); downloaded payloads vary significantly |
| Network Behavior | HTTP/HTTPS connections to C2 servers for command retrieval and data exfiltration; some variants use IRC channels or FTP |
| Common Artifacts | autorun.inf files on drives, hidden executable files in drive root directories, registry modifications to HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run |
| Data at Risk | Stored credentials, browser history/cookies, email credentials, FTP passwords, system configuration details |
| Removal Difficulty | Moderate — requires manual cleanup of multiple drives and careful registry editing; reinfection risk is high if all infected media aren't cleaned |
How It Spreads
Trojan:AutoRun-A exploits the Windows AutoRun feature that was designed to automatically launch programs when removable media is inserted. When you plug in an infected USB drive, the operating system reads an autorun.inf file placed by the malware in the root directory of that drive. This file instructs Windows to execute the trojan's binary automatically — often without any visible prompt on systems with AutoRun fully enabled. The malware then copies itself to the local hard drive and immediately begins scanning for other connected drives and accessible network shares to infect.
The infection chain doesn't stop with one machine. Once Trojan:AutoRun-A establishes itself on your computer, it monitors for newly connected removable media. The moment you insert a clean USB drive, the malware writes its files and autorun.inf configuration to that drive. When you or a colleague then uses that USB drive on another computer, the cycle repeats. This makes AutoRun trojans particularly problematic in office environments, educational institutions, and industrial facilities where USB drives frequently move between workstations.
Beyond removable media, this trojan family also spreads through:
- Network share exploitation — The malware writes itself to accessible network folders (particularly those with write permissions), infecting workstations that browse or map those shares
- Email attachments — Some variants arrive as ZIP files containing both the executable and a crafted autorun.inf, disguised as legitimate documents or software
- Drive-by downloads — Compromised websites or malicious advertisements can drop AutoRun trojan components onto systems, which then propagate to removable media
- Peer-to-peer networks — The malware has been found bundled with pirated software, key generators, and "cracked" applications distributed through file-sharing platforms
- Social engineering — Attackers deliberately leave infected USB drives in parking lots, lobbies, or public spaces, relying on curiosity to prompt someone to insert the drive
What It Does On Your Machine
Upon execution, Trojan:AutoRun-A immediately establishes multiple persistence mechanisms to survive system reboots. The malware copies its main executable to a system directory — typically a randomly named folder within %APPDATA%, %LOCALAPPDATA%, or %PROGRAMFILES% — and creates Windows Registry entries that launch this file every time the system starts. Common registry locations include the Run and RunOnce keys under both HKEY_LOCAL_MACHINE and HKEY_CURRENT_USER, ensuring the trojan loads regardless of which user account logs in.
The trojan's primary observable behavior is its aggressive drive infection routine. It continuously monitors for new drive letters appearing in the system, whether from USB drives, SD cards, external hard drives, or mapped network locations. When a new drive is detected, the malware writes two files: an autorun.inf configuration file and a copy of its executable (often with a system or hidden file attribute to avoid casual detection). The autorun.inf file contains instructions like open=malware.exe or uses shell command hooks to trigger execution when the drive is accessed.
Beyond self-replication, Trojan:AutoRun-A variants serve as downloaders or droppers for additional malicious payloads. After establishing itself on your system, the trojan typically connects to a remote server to report the successful infection and download secondary components. These payloads vary but commonly include keyloggers to capture passwords and sensitive data, information stealers that harvest browser credentials and email account details, backdoor trojans that grant attackers remote access to your machine, and cryptocurrency miners that consume system resources for the attacker's profit.
The malware also attempts to disable security measures that might interfere with its operation. Many variants modify Windows Registry settings to prevent Task Manager from launching, disable Windows Defender or other antivirus software, block access to registry editing tools (regedit.exe), and hide file extensions and hidden files in Windows Explorer to make their presence less obvious. Some versions also terminate processes associated with security software or monitoring tools, actively fighting against cleanup attempts.
Manual Removal — Step by Step
Disconnect All Removable Media and Network Connections
Before beginning removal, unplug all USB drives, external hard drives, SD cards, and any other removable storage from your computer. Disconnect from your network (unplug the Ethernet cable or disable WiFi). This prevents the trojan from reinfecting cleaned drives or spreading to network shares during the removal process. Keep all removable media disconnected until you've completed cleanup and verified the system is clean.
Boot Into Safe Mode with Networking
Restart your computer and repeatedly press F8 (Windows 7/Vista/XP) or hold Shift while clicking Restart (Windows 8/10/11) to access the boot options menu. Select "Safe Mode with Networking" from the list. This loads Windows with minimal drivers and services, preventing most malware from automatically starting. Safe Mode also makes it easier to delete files that would otherwise be locked by running processes.
Show Hidden Files and System Files
Open Windows Explorer, click on "Organize" (or "View" in Windows 10/11), then "Folder and search options." Under the View tab, select "Show hidden files, folders, and drives" and uncheck "Hide protected operating system files." Click Apply. This reveals the autorun.inf files and hidden executables that the trojan uses to propagate. The malware specifically relies on these files being invisible to casual users.
Terminate Malicious Processes
Press Ctrl+Shift+Esc to open Task Manager (if the trojan has disabled it, you'll need to re-enable it via Registry or use a third-party process manager). Look for suspicious processes with names like svchost.exe, winlogon.exe, or csrss.exe running from user directories rather than System32. Right-click and select "End Process Tree." Note the full file path shown in the properties before terminating, as you'll need to delete these files in subsequent steps.
Clean Registry Persistence Entries
Press Windows+R, type regedit and press Enter. Navigate to HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run and HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run. Look for unfamiliar entries pointing to executables in AppData, Temp, or other non-standard locations. Right-click suspicious entries and delete them. Also check HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon — the "Shell" value should only contain "explorer.exe" and nothing else.
Delete the Malware Files and Folders
Using Windows Explorer, navigate to the locations you identified in Task Manager. Common locations include C:\Users\[YourName]\AppData\Roaming\, AppData\Local\, and AppData\Local\Temp\. Delete any folders containing the malicious executables. Check the Recycle Bin folder on each drive (including the root directory) as some variants hide there. Empty the Windows Recycle Bin when finished to ensure the files are permanently removed.
Remove AutoRun.inf Files from All Drives
Open Windows Explorer and check the root directory of your C: drive and any other internal drives. Delete any autorun.inf files you find. These files are the mechanism the trojan uses to auto-execute, so removing them breaks the infection chain. Before reconnecting any removable media, you'll need to clean those drives as well using the same process — ideally from a known-clean computer or using a bootable antivirus scanner.
Scan with Malwarebytes or Similar Tool
Download and install Malwarebytes Free (or another reputable anti-malware tool like HitmanPro) while still in Safe Mode. Update the definitions and run a full system scan. This catches any components you might have missed during manual removal and identifies related threats that may have been downloaded as secondary payloads. Quarantine or delete all detected items, then restart the computer normally.
Re-enable Security Settings and Verify AutoRun is Disabled
Check that Task Manager, Registry Editor, and other tools are accessible again. Press Windows+R, type gpedit.msc (on Pro/Enterprise editions) or modify the registry directly to ensure AutoRun is disabled for all drive types. Set HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun to 0x000000FF (255 in decimal). This prevents autorun.inf files from executing automatically and protects against reinfection.
Clean All Removable Media Before Reconnecting
Do not reconnect any USB drives or external storage to your now-clean computer until you've verified they're free of infection. Use a bootable antivirus rescue disk or connect them to a Linux system to delete autorun.inf files and scan for executables. If you're uncertain about cleaning the drives yourself, bring them to our shop — we can scan and clean removable media safely without risking reinfection of your system.
Prevention
- Disable AutoRun/AutoPlay for all drive types — Windows 7 and later have significantly restricted AutoRun, but ensure it's completely disabled in your Group Policy or Registry settings. This single change eliminates the primary infection vector for this entire malware family.
- Keep your antivirus software updated and active — Modern security suites detect AutoRun trojans effectively when definition files are current. Enable real-time protection and schedule regular full-system scans, particularly after using removable media from untrusted sources.
- Show file extensions and hidden files by default — Malware frequently disguises itself as legitimate file types by using names like "document.pdf.exe" or setting hidden/system attributes. Configure Windows Explorer to always display extensions and reveal hidden items so you can spot suspicious files.
- Treat unknown USB drives as potentially infected — Never insert a USB drive from an untrusted source directly into your primary computer. If you must access such media, use a quarantined system, a Linux live environment, or scan the drive with an updated antivirus tool before opening any files.
- Maintain regular offline backups — AutoRun trojans can spread to backup drives that remain constantly connected. Keep critical backups on media that's only connected during the backup process, then physically disconnected and stored securely. This prevents malware from encrypting or corrupting your recovery options.
- Apply Windows updates promptly — Microsoft has patched numerous AutoRun-related vulnerabilities over the years. Keeping your system updated closes these security gaps and limits the malware's ability to exploit legacy features.
- Use standard user accounts for daily work — Running with administrative privileges gives malware broader system access. Create a standard user account for routine tasks and only elevate to administrator when necessary for software installation or system configuration.
- Implement application whitelisting in business environments — Tools like Windows AppLocker or third-party application control solutions prevent unauthorized executables from running, blocking AutoRun trojans even if AutoPlay is accidentally enabled or the malware attempts to execute through other means.
Bring It In
AutoRun trojans are particularly frustrating because they can hide across multiple drives, network shares, and removable media — cleaning your computer without addressing infected USB drives just leads to immediate reinfection. At Computer Repair Roswell, we handle the complete remediation process: identifying all infected media, cleaning the registry and filesystem, verifying secondary payloads have been removed, and configuring your system to prevent AutoRun-based infections in the future. We've been removing these threats since they first appeared, and we know all the hiding spots and persistence tricks these trojans employ.
Located at 1735 Hembree Road in Roswell, we're open Monday through Saturday to handle infections, malware removal, and preventive security configuration. Call us at (770) 856-1555 or stop by the shop — bring any USB drives or external storage you've been using so we can check them for infection at the same time. Most AutoRun trojan removals are completed same-day, and we'll explain what happened, what we removed, and how to avoid similar infections going forward. Don't keep fighting reinfection cycles — let us break the chain permanently.