More USB Keys and Malcode
by Jose NazarioWe recently installed a wireless AV system from Teq AV. One of the things they give you is a set of USB keys with the software on it to drive the laptop. Turns out the USB keys have malcode on them. Another one of those situations!
Here’s a quick scan of one of the USB key using ClamAV:
TeqAVIT_WiD121_Cutsheet.pdf: OK WiD121-130_WPS_MacOS_Application-v1.0.0.8.dmg: OK WiD121_Magnifier_utility-1.5.0.0_optional.exe: OK WiD121_Windows_WPS_utility_Installer_Downloaded_from_Device.exe: OK WiD121_Windows-Mobile5or6_WPS_utility_Downloaded_from_device.exe: OK WiD121_WPS-ZoomPro_Utility.exe.lnk: OK copy.exe: Trojan.Small-4214 FOUND host.exe: Trojan.Dropper-829 FOUND WiD121 User Guide Booklet_Rev2a.pdf: OK autorun.inf: W32.Perlovga-1 FOUND
Can you spot the malcode? The files in question belong to the W32.Perlovga family. It is very basic: it uses a simple “autorun.inf” action on the USB key to install itself onto the next system. Very old school, like sharing
floppies back in the 90s got everyone infected.
[autorun] Shellexecute=copy.exe
Copy.exe installs host.exe as C:\WINDOWS\svchost.exe, and host.exe connects to hnmy.3322.org. We’ve actually had the samples in our DB since late 2007. Not terribly complicated malware.
Sadly, this kind of thing will linger in such networks for weeks to come. Turn of autorun.inf, scan all devices on mount, and you’ll be safer.
Popularity: 1% [?]