Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: InfoSec Handlers Diary Blog - Digital Hitchhikers Part Two InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Digital Hitchhikers Part Two

Published: 2008-01-04
Last Updated: 2008-01-04 02:51:08 UTC
by Marcus Sachs (Version: 1)
0 comment(s)

Several days ago David Goldsmith posted a diary concerning a digital photo frame that came with a value added feature.  Since then, two more readers have sent us notes concerning malware on digital photo frames that were purchased or received as Christmas presents last week.  We've been in contact with the security team of the retail store chain where they were purchased as well as the product vendor and both swear that no malware is on the units they are selling.

So, dear readers, here is your first project for the New Year.  If you either purchased or were given a digital photo frame, GPS unit for your car, external hard drive, or any other device that connects to your computer via a USB cable and appears to your operating system as one or more mounted drives, please let us know via our contact form if you experienced any suspicious behavior that smells like malware.  To give you an idea of what we are talking about, here are edited excerpts from the three notes we have received so far:

First notification. 

Behavior after attaching the USB digital photo frame to the PC:

1. MSCONFIG would not run - it would briefly open and then terminate

2. Blue screen when starting in safe mode

3. Many antivirus websites would result in browser terminating

4. Various popups for random name.exe "not valid image messages"

Using the CA AV2008 product, a new aggressive virus named Win/32Mocmex.AM was found on the photo frame (filename: kwjkpww.exe ). No detailed info on it is listed yet in their database.  (More information was later available at http://www.prevx.com/filenames/394470622808329496-0/KAWDHZY.DLL.html.)

Second notification.

The attached file is from a digital picture frame. This file was originally named "autorun.inf", was marked as a hidden, system file, and was located along-side the sample pictures shipped with the picture frame.  The program file launched by this autorun was deleted, but is a variant of the trojan Win32/Agent virus. This file was also marked as hidden.

It did appear all seals were intact and the product was carefully wrapped when it was unpacked. However, I can't say for sure that this frame was not a victim of a prior connection.
 
The virus scanner I'm using tagged the virus .exe file "cfhskjn.exe" as shown in this log entry:

Threat Name:

Trojan:Win32/Agent

Detection Date and Time:

1/1/2008 4:23 PM

File Name:

G:\kwjkpww.exe

Threat Severity:

Severe

Threat Category:

Trojan

Threat found by On Demand Scan:

(ANTIVIRUS_ONDEMAND)

Threat Status:

Removed

so I'm thinking it was not the autorun.inf worm or "silly worm" as described in this link. Although I've not dug into this particular .exe code that was found on this frame, the classification as a Win32/Agent threat tells me it is not of a worm (self-propagating) type and behaves more as a Trojan threat.
 
Google-ing the name of the virus executable turns up three Chinese-language links. Using the Google-translate function, you get this web page from the first link:
 
http://tinyurl.com/28w8vc
 
which tells me this virus has been in circulation since at least Oct 30 of 2007.

Third notification.

I too connected a digital picture frame to my computer and received the nastiest virus that I've ever encounterd in my 20 plus year I/T career. The product vendor tells me it's not true however I know exactly what, how and when. The virus absolutely came from the frame. Is there any way to cooberate this?

This virus was indeed on the frame. It propagates to any connected device by copying a script, a com file and an autorun file. It hides all systems files and itself while completely eliminating the user admin ability to show hidden files. It creates processes that negate any attempt to go to anti virus and anti spam web sites. It prevents the remote installation of any anti virus components. I was able to remove it by using the attrib command to unhide then delete the files, then run Symantec anti virus. I also manually deleted the files from my USB drive and and flash drive that I used to back up my data. I then had to long format and rebuild my computer because I had no trust that it was safe.

I was using my computer the morning that it crashed without any troubles at all. I web mailed, VPN connected to my business network which is FDA regulatory compliant and very secure. When I completed my work I then connected the picture frame and my system immediately went crazy. After this happened I ceased to use my system and went to a second computer where I your publication that re-enforced my immediate conclusion.

By the way, I also received a digital photo frame for Christmas but have not had any problems with it other than the resolution totally sucks.  But that's a subject of another diary some day.  The GPS unit I bought in November mounts as a drive letter in Windows but it too had no malware on it.  We are pretty certain that this is not a wide-spread problem but we need to know if others have experienced anything like this.  Please use our contact form to report any observed malware-like behavior in any of these external devices you recently purchased or received as gifts.  Please be sure to include information about the model name, where you bought it, and if you've been in contact with the store or product vendor.  We'll provide a summary in a few days with details on what was reported.

Many thanks to readers Edd, Larry, and Rick for bringing this issue to our attention.

Marcus H. Sachs
Director, SANS Internet Storm Center

Keywords:
0 comment(s)
Diary Archives