Malware Analysis | Incident Response | Digital Forensics | Windows XP Era
Identified a W32/Autorun variant hiding on mobile memory cards using System+Hidden file attributes. Developed a remediation tool deployed nationally across all Movistar service branches in Peru.
Between 2007 and 2009, Sony Ericsson phones serviced at Anovo Perú (authorized Movistar repair center) were being returned repeatedly with the same symptom: phone boots normally but becomes completely unresponsive after inserting the memory card.
Standard procedure was to re-flash the firmware. It worked — temporarily. The phones came back within days.
The root cause was a W32/Autorun variant hiding on the memory cards using combined System + Hidden file attributes (+S +H) — invisible to Windows Explorer, invisible to Kaspersky's real-time scanner, and surviving card formatting.
One forensic observation. One script. National deployment.
Environment: Windows XP | Kaspersky AV | Sony Ericsson + microSD
Malware: W32/Autorun variant — random filename, +S +H attributes
Detection: Byte count discrepancy → CMD attrib → malware revealed
Evasion: MITRE T1564.001 — Hidden Files and Directories
Remediation: .bat script with attrib -r -s -h /s /d *.*
Impact: Deployed nationally across all Movistar/Anovo branches in Peru
The memory card was formatted and visually empty — but the Properties dialog showed bytes in use. That discrepancy was the starting point.
Windows Explorer: [empty]
Card Properties: Used space: X bytes ← anomaly
attrib command: S H [drive]:\ [random_filename] ← malware revealed
Kaspersky: [detects and eliminates within seconds]
The malware used +S (System) + +H (Hidden) attributes simultaneously — bypassing the standard "Show hidden files" option in Explorer and evading Kaspersky's real-time scanner while in hidden state.
@echo off
:: Malware Attribute Removal Tool
:: Developed by: Alvaro Martinez — Anovo Peru
attrib -r -s -h /s /d *.*
echo Done. Run your antivirus scan now.
pauseCopy to memory card root → execute → Kaspersky eliminates the malware automatically.
👉 Read the complete technical writeup
Includes: forensic analysis methodology, malware classification, MITRE ATT&CK mapping, attack chain reconstruction, remediation tool development, and historical context of the W32/Autorun epidemic (2007–2009).
📄 README.md ← This file
📄 anovo-autorun-writeup.md ← Full technical writeup
| Audience | Why it matters |
|---|---|
| Security analysts | Real W32/Autorun case with forensic methodology |
| IT administrators | Attribute-based evasion still relevant on USB devices today |
| Recruiters | Documented incident response with national-scale impact |
| Students | Practical example of forensic thinking without specialized tools |
Alvaro Martinez | IT Infrastructure Specialist
Google Cybersecurity · Cisco CyberOps · ~10 years experience
If this was useful, consider leaving a ⭐ on the repository.