Digital Picture Frames - Now with Free Malware!

Digital picture frames showed up everywhere this past holiday season - and unfortunately, some of them, it turns out, also include a Trojan Horse payload as a 'free' bonus.

From One to Many...Vendors

The first reports in late January fingered some examples of the Insignia NS-DPF-10A 10.4-inch digital picture frames sold by Best Buy. However, the San Francisco Chronicle is now reporting that digital picture frames sold by several other vendors may also contain computer viruses, including products sold by Sam's Club, Target, and Costco. The digital picture frames involved contain flash memory to store images loaded from a PC.

A Multi-Pronged Malware Attack

Initially, it was believed that the malware on infected digital picture frames was relatively easy to deal with. One of the infections is W32.Rajump, which also infected some Apple video iPods back in October 2006. It spreads itself to removable drives and can attack Windows 9x through XP. Three other trojans are also older infections easily detectable by current antivirus programs. However, the biggest payload is a new Trojan Horse known to CA (formerly Computer Associates) as Mocmex, and identified as W32.Autorun.worm.e by McAfee.

Introducing Mocmex

Whether you call it Mocmex or W32.Autorun.worm.e, it's bad news. It performs the following actions:

• - Kills various processes
• - Downloads malware from two remote websites
• - Deletes registry keys
• - Adds registry keys to run malware
• - Disables most major antivirus software products
• - Disables Windows security and firewall features
• - Captures passwords for online games (and could easily be tweaked to capture other types of information as well)

If that last behavior reminds you of a previous storage-based malware outbreak, you're right. We brought you reports of Maxtor external hard disks infected with malware from China back in November, and antivirus researchers, according to the Chronicle, have traced back this latest infection to a China-based group as well.

Stopping Mocmex

Mocmex can be detected by updated CA and McAfee antivirus programs (and possibly others), but because it uses Autorun.inf to spread (and can reenable Autorun, even if you have disabled this feature), waiting until you have connected the picture frame to a Windows-based PC may be too late - your system's already infected! So, how can you detect Mocmex or other nasties stored in a removable storage device? Deborah Hale at the SANS Institute (www.sans.org), a leading information security training and research firm, suggests scanning media from a computer running Linux or MacOS.

Here's a better idea, especially for us Windows diehards: create a BartPE CD (as suggested by our own Logan Decker), include your preferred antivirus tool (you'll find a list of antivirus plugins here), and use it to boot your PC and scan digital picture frames or other removable-media drives for viruses and malware.