|
Posted by GJ on December 31, 2008, 9:33 am
If you were Registered and logged in, you could reply and use other advanced thread options
>
> | My nephew was given a no-name mp3 player, which looks like a USB drive,
> for
> | Christmas.
>
> | When the MP3 Player is plugged into a USB port on our computer, it is
> | identified by Windows XP home as two devices :-
>
> | 1) AMT_CDROM , a read only drive
> | 2) MP3_PLAY, a drive which contains mp3 files to be played by
> the
> | player.
>
> | The AMT_CDROM drive contains some files which try to run as soon as the
> | player is plugged in using the Windows AUTORUN function. These files are
> in
> | a chip on the player and cannot be deleted.
>
> | These files are
>
> | autorun.inf
> | AMT.sn
> | start.exe
>
> | The result of this is that Windows tries to run the file "start.exe",
> and as
> | soon as this happens it is flagged by the anti-virus software (NODS32)
> as
> | containing the Win32/Agent.ONB Trojan virus
>
> | There are some references to this virus on the web, but nothing very
> useful
> | which I have found so far - the following has been translated from
> Italian
> | on a forum and relates a similar experience.
>
> | "Hello everyone I have a question to be asked: I bought an mp3 player
> | similar to your shuffle from china 2 gi
> | The problem is that if I connect off with usb cable to PC then turn fits
> ...
> | you see, it works and everything is ok ...
> | But if the spengo and then riaccendo tells me "device not recognized"
> and
> | then at the end asks me to reboot the PC.
> | But the main problem is that my view on the PC in addition to "removable
> | disk" also similar to a disc player that if I clicked on from the
> antivirus
> | (nod 32) recognize a file start.exe. "
> "G:: \ AMT.sn 'cabinet' BackupTool.exe - probably a variant of
> | Win32/PSW.Agent horse tr ** a"
> | the presence of a file infested by trojan.
> | The result is this: "G: \ start.exe - Win32/Agent.ONB horse tr ** a -
> error
> | while deleting - file is locked - error while deleting - file is
> locked -
> | error while deleting - file is blocked. "
> | of course I can not remove in any way .... this disc (AMT_CDROM) despite
> the
> | low level formatting does not delete them ... but still active ... I do
> is
> | safe to use? You can delete? "
>
> | I can't find any details on what the virus does, if it really exists,
> does.
>
> | Has anyone come across this before ? If there is a virus present, it
> seems
> | to be encoded into the rom chip on the mp3 player during it's
> manufacture.
>
> | I can't imagine the presence of the virus pattern is a coincidence
> because
> | the function of the start.exe must be fairly simple in this use .
>
> | Look forward to hearing of any similar incidents or anything else about
> this
> | one you can tell me.
>
> | Thanks,
>
> | GJ
>
>
> It is an AutoRun worm. If Eset doesn't provide technical information on
> what this AutoRun
> worm does, you'll have to provide the EXE file to Virus Total to see who
> else recognizes
> this threat and see if they have technical information on what this
> AutoRun does.
>
>
> Please submit a sample to Virus Total --
> http://www.virustotal.com/flash/index_en.html
> The submission will then be tested against many different AV vendor's
> scanners.
> That will give you an idea what it is and who recognizes it. In addition
> Virus
> Total will provide the sample to all participating vendors.
>
> You can also submit a suspect, one at a time, via the following email
> URL...
> mailto:scan@virustotal.com?subject=SCAN
>
> When you get the report, please post back the exact results.
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
>
Will do, but the mp3 player is now in Ballarat - I'll have to wait until my
nephew comes back to Melbourne.
Thanks,
GJ
| 
Yahoo! 
Google 
Windows Live 
del.icio.us 
digg 
Netscape 
XML site map