Dell datatraveler 4gb USB drive with trojan / virus

Comments
Posted at 2008/12/03/1639 by fumf
(show tags and categories)

Wow, this is not a strict RTFA article as I am not citing any other article. I was hoping to find someone with a similar situation but decided to vent on my own. SO, today I open up a brand new Dell DataTraveler 4GB USB drive which came with my new Dell laptop. Lucky me I had an anti-virus program installed because smack, the first thing that happens when I put the USB drive into my computer is “warning – trojan horse detected in autorun” Unfortunately, I forgot to delete the autorun file, which is hidden, and then plugged the USB drive into another machine I was transferring data to. Now that machine has a virus. Fuckin IE pops up with some chinese website and the first thing I do is goto the avast website… Hopefully I can remove the virus without any problems.

UPDATE 2008-12-04:
Avast says “Computer is infected with win:32-Trojan-gen {other}” Also, when I first plugged the USB in, there were 3 “folders” on the drive named: iiiiiiiii, iiiiiiiiii, iiiiiiiiii… i’m not sure exactly how many i’s there were but I found this link: http://www.threatexpert.com/files/iiiiiiiiii.exe.html

So the reason i put it in quotes is because it looked like a folder with the icon but if you look at the extension, it was actually an exe. I know I’ve heard this happening before, and found a similar incident on hard drives http://hardware.slashdot.org/article.pl?sid=07/11/11/2246246 but haven’t looked hard enough to see if other people are experiencing it with USB drives.

UPDATE 2008-12-04:
According to http://www.threatexpert.com/files/iiiiiiiiii.exe.html, that EXE is also known as:

Infostealer.Bancos.gen
Keylog.gen
Trojan-Spy.VB!sd5
Trojan-Spy.Win32.VB.fj

more recent post
older post
  • ya, I also faced the same!
  • fumf
    It seems this is becoming more of a problem, from the BBC:
    http://news.bbc.co.uk/2/hi/technology/7842013.stm

    "Drives such as USB sticks infected with the virus trick users into installing the worm, according to researchers.

    The "Autoplay" function in Vista and early versions of Windows 7 automatically searches for programs on removable drives.

    However, the virus hijacks this process, masquerading as a folder to be opened. When clicked, the worm installs itself.

    It then attempts to contact one of a number of web servers, from which it could download another program that could take control of the infected computer.

    Bad guys

    The worm is unusually clever in the way that it determines what server to contact, according to F-Secure's chief research officer Mikko Hypponen.

    "It uses a complicated algorithm which changes daily and is based on timestamps from public websites such as Google.com and Baidu.com," said Mr Hypponen in a blog post.

    "This makes it impossible and/or impractical for us good guys to shut them all down — most of them are never registered in the first place.

    "However, the bad guys only need to predetermine one possible domain for tomorrow, register it, and set up a website — and they then gain access to all of the infected machines," he added.

    It has also emerged that the virus automatically disables the automatic updates to Windows that would prevent further infection.

    As the virus - also known as Downadup - has spread to an estimated 9m computers globally, a number of high-profile instances of the virus have arisen. "
  • farkinga
    According to http://www.threatexpert.com/files/iiiiiiiiii.exe.html, that EXE is also known as:

    Infostealer.Bancos.gen
    Keylog.gen
    Trojan-Spy.VB!sd5
    Trojan-Spy.Win32.VB.fj

    So, I still think this is freaking CRAZY. I mean, it was a brand new USB drive with a known Trojan on it.
  • fumf
    Hi Phil,
    I'm fairly certain this is not a false positive. The dead giveaway is the chinese website popping up automatically.
  • Phil
    Step 1. Don't freak over something just because your AV says it's dirty, it may be a false positive, they do happen.

    2. HijackThis

    3. hijackthis.de
  • farkinga
    This is insane! I didn't find any other reports of this - you might be the first??? What kind of virus was it? Try to isolate it and post some more!!! CRAZY.
blog comments powered by Disqus