Digital Picture Frames - Now with Free Malware!

Mark Soper — Sat, 16 Feb 2008 22:37:17 -0600

Digital picture frames showed up everywhere this past holiday season - and unfortunately, some of them, it turns out, also include a Trojan Horse payload as a 'free' bonus.

From One to Many...Vendors

The first reports in late January fingered some examples of the Insignia NS-DPF-10A 10.4-inch digital picture frames sold by Best Buy. However, the San Francisco Chronicle is now reporting that digital picture frames sold by several other vendors may also contain computer viruses, including products sold by Sam's Club, Target, and Costco. The digital picture frames involved contain flash memory to store images loaded from a PC.

A Multi-Pronged Malware Attack

Initially, it was believed that the malware on infected digital picture frames was relatively easy to deal with. One of the infections is W32.Rajump, which also infected some Apple video iPods back in October 2006. It spreads itself to removable drives and can attack Windows 9x through XP. Three other trojans are also older infections easily detectable by current antivirus programs. However, the biggest payload is a new Trojan Horse known to CA (formerly Computer Associates) as Mocmex, and identified as W32.Autorun.worm.e by McAfee.

Introducing Mocmex

Whether you call it Mocmex or W32.Autorun.worm.e, it's bad news. It performs the following actions:

- Kills various processes
- Downloads malware from two remote websites
- Deletes registry keys
- Adds registry keys to run malware
- Disables most major antivirus software products
- Disables Windows security and firewall features
- Captures passwords for online games (and could easily be tweaked to capture other types of information as well)

If that last behavior reminds you of a previous storage-based malware outbreak, you're right. We brought you reports of Maxtor external hard disks infected with malware from China back in November, and antivirus researchers, according to the Chronicle, have traced back this latest infection to a China-based group as well.

Stopping Mocmex

Mocmex can be detected by updated CA and McAfee antivirus programs (and possibly others), but because it uses Autorun.inf to spread (and can reenable Autorun, even if you have disabled this feature), waiting until you have connected the picture frame to a Windows-based PC may be too late - your system's already infected! So, how can you detect Mocmex or other nasties stored in a removable storage device? Deborah Hale at the SANS Institute (www.sans.org), a leading information security training and research firm, suggests scanning media from a computer running Linux or MacOS.

Here's a better idea, especially for us Windows diehards: create a BartPE CD (as suggested by our own Logan Decker), include your preferred antivirus tool (you'll find a list of antivirus plugins here), and use it to boot your PC and scan digital picture frames or other removable-media drives for viruses and malware.

Fake Microsoft Update Email Can Ruin Your Evening - Stop It Now!

Mark Soper — Tue, 22 Jan 2008 21:25:52 -0600

Heed This "Warning" - And You'll Be Sorry

Security vendor Sunbelt Software's blog reports that a fake warning to "update your P.C. in maximum 12 hours otherwise your Windows will be Expired" is making the email rounds. While the message (visible here) has all of the earmarks of a fake (including broken English), it might convince some technical novices that they'd better get clicking. If they do click, what happens? They download IRC.Backdoor.Trojan, an old threat that can still take over a system. It's disguised as updateWindows.exe. You can learn more about how it works by reading PacketShack.org's analysis.

Removing IRC.Backdoor.Trojan

There are a large number of variants of this nasty bit of malware, as this Tek-Tips thread suggests. It also goes by many different names depending upon the antivirus vendor, including Win32.HackTool (eSafe), Backdoor.IRC.Zapchast (F-Secure and Kaspersky), Riskware.HideWindow.B (Webwasher-Gateway), and many others (link requries a PDF reader). Some antivirus programs may have difficulty removing it.

If you're working on an infected computer and can't get rid of it, one Tek-Tips poster recommends using the free F-Secure online scanner. You must use IE6 or IE7 with ActiveX enabled to use the F-Secure scanner, and it runs on Windows XP or 2000 (a beta version is available for Windows Vista users).

What Not to Click

Tired of fixing virus and malware infections? Remind your family, friends, co-workers (and anybody else who thinks you're a technology genius) of the rules for staying out of trouble online:

Don't click links purporting to come from PayPal, eBay, or your local bank or credit union
Always log into Windows Update, e-commerce and similar sites manually
Hover the mouse over links in an email or web page to find out where it will really take you
Ignore logos and artwork when attempting to determine if an email or website is legit - they're easily stolen and reused

These can be summarized in one rule: Think before you click!

Maximum PC Trojan Horse RSS Feed