Worm:Win32/Autorun.A is a self-replicating malware family that exploits Windows AutoRun functionality to spread across removable drives, network shares, and connected storage devices. First documented in the mid-2000s during the peak of USB-based malware propagation, this worm family remains relevant today as countless variants continue circulating in regions where users routinely share USB drives. The primary threat isn't just the initial infection—it's the worm's ability to silently colonize every removable device you connect, turning your own flash drives into unwitting infection vectors.

Worm:Win32/Autorun.A — cybersecurity illustration
Photo by Tima Miroshnichenko on Pexels

This worm family typically arrives via infected USB drives, external hard drives, or network shares that already contain the malware. Once executed, it modifies system settings to ensure AutoRun triggers its payload whenever you access infected media, creating a persistent reinfection cycle that survives even after you think you've cleaned your machine.

Think you're infected right now? Immediately disconnect all USB drives and external storage devices from your computer. Disable network connectivity if you're on a shared network. Do not insert any flash drives into other computers until you've completed removal. If you're uncomfortable performing manual removal, call Computer Repair Roswell at (770) 676-3301—we can typically clean autorun worms same-day and verify all your removable media is safe.

Threat Profile

Malware Family Worm:Win32/Autorun (multiple variants including Autorun.A, Autorun.B, Autorun.gen)
Common Aliases Win32.AutoRun, WORM_AUTORUN, VBS/Autorun, Trojan.Autorun, AutoIt.Autorun
Platform Windows XP through Windows 11 (primarily targets systems with AutoRun enabled)
First Documented 2006-2008 (peak proliferation period); variants continue emerging
Primary Distribution USB flash drives, external hard drives, SD cards, network shares with write access
Persistence Mechanisms Registry Run keys, autorun.inf files on all removable media, scheduled tasks (variant-dependent)
Typical Payload Capabilities Self-replication to removable drives, backdoor installation, additional malware download, credential theft (variant-dependent)
File Characteristics Executable size typically 30KB-500KB; often disguised with folder icons or double extensions (.pdf.exe)
Network Behavior Attempts SMB share enumeration; may contact C2 servers for updates (variant-specific)
IoC Artifacts autorun.inf files on root of drives; hidden executables with system/folder attributes; modified registry AutoRun policies
Detection Difficulty Low to Moderate (well-known signatures, but reinfection from unscanned media is common)
Removal Difficulty Moderate (system cleanup straightforward, but requires scanning ALL removable media to prevent reinfection)

How It Spreads

The Autorun worm family earned its name through ruthless exploitation of Windows AutoRun functionality, which was designed to automatically launch programs from CDs and DVDs but unfortunately also worked with USB drives on older systems. When you insert an infected flash drive, the worm's autorun.inf file tells Windows to automatically execute the malware payload—often before you even open the drive in Explorer. While Microsoft disabled AutoRun for USB devices starting with Windows 7, the worm adapted by using social engineering: creating fake folder icons that look like legitimate directories but are actually executable files that users double-click manually.

The infection cycle is remarkably efficient. Once running on your system, the worm immediately scans for all connected drives and network shares with write access. For each target it finds, it copies itself (often with a randomized filename or disguised as a system file), creates a hidden autorun.inf file pointing to its executable, and sets both files to hidden+system attributes so they don't appear in normal folder views. The next person who connects that USB drive to their computer—even a fully patched Windows 11 system—becomes the next victim if they manually launch the disguised executable.

Common distribution vectors for Autorun worm families include:

  • Shared USB flash drives in workplaces, schools, libraries, or print shops where multiple users access the same devices
  • External hard drives used for backup or file transfer between computers
  • SD cards and camera memory transferred from infected digital cameras or photo kiosks
  • Network file shares with inadequate access controls, allowing the worm to propagate across entire office networks
  • Infected installation media for pirated software distributed via USB drives
  • Point-of-sale systems and kiosks that allow customer USB access (photo printing, document services)
  • Malicious downloads bundled with other software, establishing the initial foothold before spreading to connected media

What It Does On Your Machine

Upon execution, the worm's primary objective is ensuring its own survival and propagation. It immediately copies itself to a location in your user profile or system directories, typically using a randomized filename to evade simple detection. The executable is configured with hidden and system attributes to keep it invisible in standard folder listings. The worm then establishes persistence by adding registry entries that ensure it launches whenever Windows starts—most commonly in the Run or RunOnce keys, though some variants create scheduled tasks or modify the Windows Explorer shell extensions.

The self-replication engine activates next, continuously monitoring for new drive letters and network shares. Whenever you connect a USB drive, mount a network location, or insert an SD card, the worm springs into action within seconds. It creates its distinctive autorun.inf file in the root directory of the new media and copies its executable alongside it. Many variants employ additional deception: creating what appears to be a "Documents" or "Photos" folder with an enticing folder icon, when in reality this "folder" is the worm executable. Users who double-click what they believe is a folder instead launch the infection, which then executes from their own computer.

Typical Autorun Worm Artifacts
Infected Removable Drive (E:\): autorun.inf ; Hidden+System attributes Recycler\ ; Fake system folder containing worm executable Recycler\[random].exe ; Actual worm binary (15-500KB) Documents.exe ; Disguised with folder icon, Hidden attribute Local System: %USERPROFILE%\Application Data\[GUID]\svchost.exe %TEMP%\[random].exe %WINDIR%\system32\drivers\[random].sys ; Some variants Registry: HKCU\Software\Microsoft\Windows\CurrentVersion\Run HKLM\Software\Microsoft\Windows\CurrentVersion\Run HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun ; Modified to enable AutoRun

Beyond self-propagation, different Autorun worm variants carry additional payloads that activate after establishing persistence. Some variants function as downloaders, reaching out to command-and-control servers to retrieve additional malware—potentially ransomware, banking trojans, or cryptocurrency miners. Other variants include keylogger functionality, silently recording your passwords and credit card information for later exfiltration. A concerning subset searches specifically for online banking credentials or saved browser passwords, transmitting this data to attackers via HTTP POST requests or email.

The worm typically modifies system security settings to facilitate its operation, including disabling Windows AutoRun warnings, hiding protected operating system files in folder views, and sometimes even attempting to disable Windows Defender or other security software. Resource consumption varies by variant: some operate almost invisibly with minimal CPU usage, while others cause noticeable system slowdowns due to continuous disk scanning or network communication with control servers that may no longer exist.

Manual Removal — Step by Step

01

Disconnect All Removable Media and Network Access

Before attempting any cleanup, physically disconnect all USB drives, external hard drives, SD cards, and any other removable storage from your computer. If you're on a network, disconnect the Ethernet cable or disable Wi-Fi. This prevents the worm from reinfecting your system from external media during the removal process and stops potential spread to network shares. Keep these devices disconnected until step 8.

02

Boot Into Safe Mode with Networking

Restart your computer and boot into Safe Mode with Networking. On Windows 10/11, hold Shift while clicking Restart, then navigate to Troubleshoot > Advanced Options > Startup Settings > Restart, and select Safe Mode with Networking (option 5). Safe Mode loads only essential drivers and services, preventing the worm from automatically starting and making removal significantly easier.

03

Enable Viewing of Hidden and System Files

Open File Explorer, click View > Options > Change folder and search options. In the View tab, select "Show hidden files, folders, and drives" and uncheck "Hide protected operating system files (Recommended)". Click Apply. The worm relies on hidden file attributes to remain invisible, so this step is essential for locating its components.

04

Identify and Terminate the Worm Process

Open Task Manager (Ctrl+Shift+Esc) and examine running processes carefully. Look for unfamiliar processes running from unusual locations like %TEMP%, %APPDATA%, or user profile subdirectories with GUID-like names. The worm often disguises itself as "svchost.exe" or uses randomized names. Right-click suspicious processes, select "Open file location", and if it's not in a legitimate Windows system folder, right-click and choose "End task". Note the file path for deletion in the next step.

05

Remove Registry Persistence Entries

Press Win+R, type regedit, and press Enter. Navigate to HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run and HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run. Look for entries pointing to executable files in suspicious locations (matching the paths from step 4). Right-click these entries and delete them. Also check HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce and the HKLM equivalent. Be careful to only delete entries you can confirm are malicious.

06

Delete the Worm Files and Folders

Using File Explorer with hidden files visible, navigate to the locations identified in step 4 (typically folders in %USERPROFILE%\AppData\Local or %TEMP% with random names). Delete the entire parent folder containing the worm executable. Also check %WINDIR%\system32 for any recently modified .exe or .dll files with suspicious names or sizes under 500KB. If you encounter "file in use" errors, the process from step 4 wasn't fully terminated—return to Task Manager and verify.

07

Scan with Malwarebytes or Reputable Anti-Malware

Download and install Malwarebytes Free (still in Safe Mode with Networking enabled). Run a full system scan—this typically takes 30-60 minutes. Malwarebytes excels at detecting Autorun worm variants and their associated registry modifications. Quarantine and remove all detected threats. After Malwarebytes completes, consider running a second-opinion scan with Windows Defender or another reputable scanner to catch any stragglers.

08

Clean All Removable Media

This is the critical step most people skip, leading to reinfection. One at a time, connect each USB drive, external hard drive, and SD card. Immediately navigate to the root directory (just "E:\" or whatever the drive letter is), enable viewing hidden files if it reset, and look for autorun.inf files. Delete any autorun.inf files you find. Also look for .exe files in the root directory or in folders named "Recycler" or similar system folder names. Delete these executables. Run a full scan of each drive with Malwarebytes before moving to the next device. This process must be repeated for every single piece of removable media that touched the infected computer.

09

Restore Proper AutoRun Settings

The worm may have modified your AutoRun policies. Press Win+R, type gpedit.msc (this won't work on Windows Home—skip to registry method). Navigate to Computer Configuration > Administrative Templates > Windows Components > AutoPlay Policies. Ensure "Turn off Autoplay" is enabled for all drives. Alternatively, in Registry Editor, navigate to HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer and verify the value "NoDriveTypeAutoRun" is set to 0xFF (255 decimal), which disables AutoRun for all drive types.

10

Reboot and Verify Clean System

Restart your computer normally (not into Safe Mode). After Windows loads, open Task Manager and verify no suspicious processes have returned. Reconnect your network. Run one final quick scan with Malwarebytes or Windows Defender. If the system remains clean after 24 hours of normal use and you've successfully cleaned all removable media, the infection is resolved. Consider changing passwords for important accounts if you suspect the variant included credential-stealing capabilities.

Prevention

  1. Disable AutoRun for all removable drives. Use Group Policy Editor (gpedit.msc) or registry modifications to ensure Windows never automatically executes programs from USB drives or other removable media. This single setting prevents the majority of autorun-based infections.
  2. Never double-click files on USB drives without scanning first. When you connect a flash drive from an untrusted source, right-click the drive in Explorer and select "Scan with [your antivirus]" before opening any files. Be especially suspicious of .exe files in root directories or "folders" that display unusual icons.
  3. Keep visible file extensions enabled. In File Explorer options, uncheck "Hide extensions for known file types". This reveals disguised executables like "Document.pdf.exe" which appear as innocent "Document.pdf" files with extensions hidden—a favorite worm trick.
  4. Use a dedicated USB drive for untrusted transfers. If you routinely transfer files from potentially infected sources (work computers, public kiosks, clients' machines), designate one specific USB drive for these transfers, scan it thoroughly after each use, and never connect it to other systems until you've verified it's clean.
  5. Maintain real-time antivirus protection. Windows Defender (included free with Windows) provides adequate protection against known autorun worm signatures if you keep it updated. For enhanced protection, consider Malwarebytes Premium, which includes real-time monitoring for suspicious autorun.inf creation and executable behavior.
  6. Educate everyone who uses shared USB drives. In office or household environments where USB drives pass between computers, ensure everyone understands the infection risk and knows to scan drives before opening files. A single infected computer in the chain can reinfect everyone else's drives.
  7. Consider write-protecting important USB drives. Some USB drives include physical write-protect switches. Enabling this prevents malware from creating autorun.inf files or copying itself to the drive—though it also prevents you from adding legitimate files without toggling the switch.
  8. Regularly scan removable media even if your computer seems clean. Schedule monthly scans of all your frequently used USB drives. Catching a worm infection on a drive before it spreads to your computer is far easier than cleaning an active system infection.
Our 90-Day Warranty
When Computer Repair Roswell removes malware from your system, we guarantee our work for 90 days. If the same infection returns within that period (and you haven't engaged in risky behavior like disabling your antivirus or visiting the same malicious sites), we'll re-clean your system at no charge. We also verify that all your USB drives and external storage are clean before returning your computer—preventing the reinfection cycle that plagues DIY removal attempts.

Bring It In

Autorun worm removal is straightforward for technicians with proper tools, but the critical step—thoroughly cleaning all removable media—is where most self-removal attempts fail. You clean your computer, feel relieved for a few days, then plug in that flash drive you forgot about, and suddenly you're infected again. At Computer Repair Roswell, we've developed a systematic process for these infections: we clean your computer, then individually scan and sanitize every USB drive, external hard drive, and memory card you bring in. We verify the worm hasn't spread to network shares. We reconfigure your system settings to prevent reinfection. And we test everything before you leave.

Located on Alpharetta Highway in Roswell, we're open Monday through Saturday for drop-offs and typically complete worm removal the same day for most infections. Bring your computer and all the USB drives you've used with it recently—even ones you think are clean. Call us at (770) 676-3301 with questions or to confirm we have availability. For persistent infections that keep coming back, or if you've discovered the worm has spread through your office network, we can provide on-site service throughout the Roswell and North Fulton area. Don't spend your weekend fighting reinfection cycles—let us handle it correctly the first time.