Infected Christmas presents

After last years christmas I thought that the producers of digital picture frames, USB-sticks and MP3-players would have learned their lesson and do a better quality assurance – just to make sure they don’t deliver malware on their devices. Obviously, I was wrong.

Samsung managed not just to ship infected digital picture frames, but also there is malware on the CD with some software for Windows XP – it contains a variant of the Sality trojan family. Additionally, if you plug-in the digital picture frame to the USB port of your computer, most likely it’ll automagically start the autorun.inf that sits there. Avira AntiVir detects it as TR/Dldr.VB.egl. There are 4 copies of differently named executable files in the root directory, where the autorun.inf-file tries to start the Recycled.exe from. The malware authors added the icon of directories to the trojan so it would look like a folder in Windows Explorer. This Trojan is generically detected as TR/Dropper.gen.

Samsung issued a warning (PDF) and offers non-infected software for Windows XP in their download center. They just talk about the infected driver CD though – as well as the media – and don’t mention the danger of plugging the infected photo frame itself into the computer.

Please be careful when plugging such USB connected gifts to your computer. At least press the Shift-key for some time while plugging in the device, this will stop Windows from executing the autorun.inf file. And always use an up-to-date antivirus solution – the malware found on the most devices is known for some time already.

Dirk Knop
Technical Editor