3.1.08

Digital photo frame contains Virus/Malware part2

In a previous post HERE
we learned of people either buying or receiving NEW hardware loaded with a virus or malware. While the reports speculate that this is not widespread, or in the wild, this can not by any means be the end of this. Since most,'not unlike myself' do not suspect a NEW device to contain a virus, we don't even think of looking/scanning for it on said device. This being the case, I am sure there are many others out there in the world that have become infected in this manner and don't even realize it.

In my previous post on this subject I said:
"Well the who seems fairly easy. Correct me if I'm wrong. The who is China. I say this due to the fact most of these types of electronics and damn near everything else comes from them. Under the Direction of whom is all together another Question."
This appears to have been somewhat CONFIRMED in this latest post from SANS Internet Storm Center where a reader reports, "Google-ing the name of the virus executable turns up three Chinese-language links."

What makes this all the worse is that some have an autorun.exe file. For those that don't know/understand what this is I'll try and simply explain. You know when you put a music CD or a movie DVD in and it starts Automatically, that's what autorun does. If this is the case, there is NO WAY to SCAN the device to detect the infection before it runs.

As I stated before this is BIG, and NO telling how many devices are infected without people realizing it.
_______________________________

http://isc.sans.org/diary.html?storyid=3807

Digital Hitchhikers Part Two
Published: 2008-01-04,
Last Updated: 2008-01-04 02:51:08 UTC
by Marcus Sachs (Version: 1)

Several days ago David Goldsmith posted a diary concerning a digital photo frame that came with a value added feature. Since then, two more readers have sent us notes concerning malware on digital photo frames that were purchased or received as Christmas presents last week. We've been in contact with the security team of the retail store chain where they were purchased as well as the product vendor and both swear that no malware is on the units they are selling.

So, dear readers, here is your first project for the New Year. If you either purchased or were given a digital photo frame, GPS unit for your car, external hard drive, or any other device that connects to your computer via a USB cable and
appears to your operating system as one or more mounted drives, please let us know via our contact form if you experienced any suspicious behavior that smells like malware.

To give you an idea of what we are talking about, here are edited excerpts from the three notes we have received so far:

First notification.

Behavior after attaching the USB digital photo frame to the PC:

1. MSCONFIG would not run - it would briefly open and then terminate

2. Blue screen when starting in safe mode

3. Many antivirus websites would result in browser terminating

4. Various popups for random name.exe "not valid image messages"

Using the CA AV2008 product, a new aggressive virus named Win/32Mocmex.AM was found on the photo frame (filename: kwjkpww.exe ). No detailed info on it is listed yet in their database. (More information was later available at http://www.prevx.com/filenames/394470622808329496-0/KAWDHZY.DLL.html.)

Second notification.

The attached file is from a digital picture frame. This file was originally named "autorun.inf", was marked as a hidden, system file, and was located along-side the sample pictures shipped with the picture frame. The program file launched by this autorun was deleted, but is a variant of the trojan Win32/Agent virus. This file was also marked as hidden.

It did appear all seals were intact and the product was carefully wrapped when it was unpacked. However, I can't say for sure that this frame was not a victim of a prior connection.

The virus scanner I'm using tagged the virus .exe file "cfhskjn.exe" as shown in this log entry:

Threat Name:Trojan:Win32/Agent

Detection Date and Time:1/1/2008 4:23 PM

File Name:G:\kwjkpww.exe

Threat Severity:Severe

Threat Category:Trojan

Threat found by On Demand Scan:(ANTIVIRUS_ONDEMAND)

Threat Status:Removed

so I'm thinking it was not the autorun.inf worm or "silly worm" as described in this link. Although I've not dug into this particular .exe code that was found on this frame, the classification as a Win32/Agent threat tells me it is not of a worm (self-propagating) type and behaves more as a Trojan threat.

Google-ing the name of the virus executable turns up three Chinese-language links. Using the Google-translate function, you get this web page from the first link:

http://tinyurl.com/28w8vc

which tells me this virus has been in circulation since at least Oct 30 of 2007.

Third notification.

I too connected a digital picture frame to my computer and received the nastiest virus that I've ever encounterd in my 20 plus year I/T career. The product vendor tells me it's not true however I know exactly what, how and when. The virus absolutely came from the frame. Is there any way to cooberate this?

This virus was indeed on the frame. It propagates to any connected device by copying a script, a com file and an autorun file. It hides all systems files and itself while completely eliminating the user admin ability to show hidden files. It creates processes that negate any attempt to go to anti virus and anti spam web sites. It prevents the remote installation of any anti virus components. I was able to remove it by using the attrib command to unhide then delete the files, then run Symantec anti virus. I also manually deleted the files from my USB drive and and flash drive that I used to back up my data. I then had to long format and rebuild my computer because I had no trust that it was safe.

I was using my computer the morning that it crashed without any troubles at all. I web mailed, VPN connected to my business network which is FDA regulatory compliant and very secure. When I completed my work I then connected the picture frame and my system immediately went crazy. After this happened I ceased to use my system and went to a second computer here I your publication that re-enforced my immediate conclusion.

By the way, I also received a digital photo frame for Christmas but have not had any problems with it other than the resolution totally sucks. But that's a subject of another diary some day. The GPS unit I bought in November mounts as a drive letter in Windows but it too had no malware on it. We are pretty certain that this is not a wide-spread problem but we need to know if others have experienced anything like this. Please use our contact form to report any observed malware-like behavior in any of these external devices you recently purchased or received as gifts. Please be sure to include information about the model name, where you bought it, and if you've been in contact with the store or product vendor. We'll provide a summary in a few days with details on what was reported.

Many thanks to readers Edd, Larry, and Rick for bringing this issue to our attention.

Marcus H. Sachs
Director, SANS Internet Storm Center

3 comments:

MysticalToad said...

I bought one of these units for my wife... Unfortunately the manufacturer/importer is in denial. Below is the response that I received from them. My computer is not usable now.

I've not found any software to remove the threat and fear I've lost some data. My next step is to visit my local Sam's Club and demand that they get involved.


Attachment:

Brad,

We have had two other complaints about virus problems with the frame.
When we first learned of possible infections, we began running tests. We
ran our own tests here; Sam's Club ran their own tests; our
manufacturers ran their own tests; and we brought in an independent
consultant who ran his own tests. All of those tests came up negative
for any sort of malware or virus infection. All of the frames come from
the same source and if one was infected, they would all be. Just to be
sure, we took sample frames from several batches over the past year and
all were negative for infection. More than likely, a virus was either
already in your system dormant, or if you happened to have used a USB
flash drive or memory device in the frame, the device could have carried
the virus to the frame and then to your PC. That being said, we
apologize that this has happened to you, but we can assure you that the
virus did not originate from our end and there will be little we can do
for you. You could try running a virus scan to see if you can quarantine
and erase the virus, but if it's deeply imbedded, there may be nothing
you can do. Please let us know if you have any questions or concerns.

ADS Tech Support

MysticalToad said...

Howdy,


Thank you for posting the data regarding the Picture Frame from Sam's club. I bought one for my wife for Christmas. I decided to preload it with photo's the night before Christmas. The computer I use for photos was infected. Not only was I blocked out of the control panel, I could not boot in safe mode. Spy bot cleaned the 89 threats. However, after each reboot they reappear. Below is the response from the manufacture/importer. It's unfortunate that they have chosen not to be accountable for this issue. I guess my next step is to pursue a remedy from Sam's Club.

Oh other than the Chinese sites I found one that was in Farsi or some other middle eastern language.

Regards,

BK Farris

Brad,

We have had two other complaints about virus problems with the frame.
When we first learned of possible infections, we began running tests. We
ran our own tests here; Sam's Club ran their own tests; our
manufacturers ran their own tests; and we brought in an independent
consultant who ran his own tests. All of those tests came up negative
for any sort of malware or virus infection. All of the frames come from
the same source and if one was infected, they would all be. Just to be
sure, we took sample frames from several batches over the past year and
all were negative for infection. More than likely, a virus was either
already in your system dormant, or if you happened to have used a USB
flash drive or memory device in the frame, the device could have carried
the virus to the frame and then to your PC. That being said, we
apologize that this has happened to you, but we can assure you that the
virus did not originate from our end and there will be little we can do
for you. You could try running a virus scan to see if you can quarantine
and erase the virus, but if it's deeply imbedded, there may be nothing
you can do. Please let us know if you have any questions or concerns.

ADS Tech Support

Ed said...

@ Mysticaltoad

I'm sorry you have been infected. If there is in any way that I can help, feel free to ask. I do know there are a couple of things you could try but,as in most cases when you can't boot Safe mode [as you stated] and remedy the virus/malware, the only option is to re-install the OS.
It's a shame that Manufactures feel that when you have a problem with one of their products it is just that, 'Your Problem'.

Thanks for your response.

More here http://www.securityfocus.com/news/11499