×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Walmart Photo Keychain Comes Preloaded With Malware

timothy posted more than 5 years ago | from the caveat-maxima-emptor dept.

Security 224

Blowit writes "With the Christmas holidays just past and opening up your electronic presents may get you all excited, but not for a selected lot of people who got the Mercury 1.5" Digital Photo Frame from Walmart (or other stores). My father-in-law attached the device to his computer and his Trend Micro Anti-virus screamed that a virus is on the device. I scanned the one I have and AVAST did not find any virus ... So I went to Virscan.org to see which vendors found what, and the results are here and here." Update: 12/29 05:44 GMT by T : The joy is even more widespread; MojoKid points out that some larger digital photo frames have been delivered similarly infected this year, specifically Samsung's SPF-85H 8-inch digital photo frame, sold through Amazon among other vendors, which arrived with "W32.Sality.AE worm on the installation disc for Samsung Frame Manager XP Version 1.08, which is needed for using the SPF-85H as a USB monitor." Though Amazon was honest enough to issue an alert, that alert offers no reason to think that only Amazon's stock was affected.

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

224 comments

Disassembled? (5, Insightful)

Anonymous Coward | more than 5 years ago | (#26254821)

No one has disassembled the binary yet to see what it does? Does it call SetWindowsHookEx or something?

Re:Disassembled? (-1, Troll)

Anonymous Coward | more than 5 years ago | (#26255005)

I don't shop at Walmart, but here's my story:

I dropped a brown rope this morning the size of a small black child. At one point, I wasn't sure if I was taking a shit, or it the shit was taking me. And while I'm on that point, what's the deal with taking a shit? Shouldn't it be leaving a shit? I'm certainly not taking anything with me when I'm done.

But back on topic, Walmart sucks ass

Re:Disassembled? (-1, Troll)

Anonymous Coward | more than 5 years ago | (#26255035)

I don't shop at Walmart, but here's my story:

I dropped a brown rope this morning the size of a small black child. At one point, I wasn't sure if I was taking a shit, or it the shit was taking me. And while I'm on that point, what's the deal with taking a shit? Shouldn't it be leaving a shit? I'm certainly not taking anything with me when I'm done.

But back on topic, Walmart sucks ass

Why do we park in the driveway and drive on the parkway? I'll bet that blows the shit out of your mind.

Re:Disassembled? (-1, Offtopic)

Anonymous Coward | more than 5 years ago | (#26255045)

Say, you wouldn't happen to be a big, beautiful all-American football hero type would you?

Re:Disassembled? (0)

Anonymous Coward | more than 5 years ago | (#26255507)

twitter, is that you?

Obligatory (0)

Anonymous Coward | more than 5 years ago | (#26255115)

Can you send a picture (not infected of course) of this ?

Re:Disassembled? (-1, Redundant)

darkpixel2k (623900) | more than 5 years ago | (#26255499)

No one has disassembled the binary yet to see what it does? Does it call SetWindowsHookEx or something?

After seeing the slashdot article, I decided to scan one I recently bought for my wife. Sure enough. Virus.

Funny thing though--it didn't run under Linux.

Re:Disassembled? (5, Funny)

Anonymous Coward | more than 5 years ago | (#26255671)

Funny thing though--it didn't run under Linux.

Does anything run under Linux? If only Linux could correctly run even a virus!

Were they made by Sony? (2, Funny)

Zymergy (803632) | more than 5 years ago | (#26254857)

I have read about Sony adding Malware (and Rootkits) to their consumer USB removable devices before...

I also wonder if these files "DPFMate.exe" and "FEnCodeUnicode.dll" are something someone post-production put on the devices or if these files are some intended application?
Never using a digital photo frame before, I assume one simply copies image files into a mounted USB attached drive letter folder? (similar to how USB drives mount as a removable drive letter folder in Windows)

Re:Were they made by Sony? (0)

Anonymous Coward | more than 5 years ago | (#26254885)

No, they weren't made by Sony. Walfart is getting into sub-prime lending by opening its own pwn shop.

Re:Were they made by Sony? (1)

blueg3 (192743) | more than 5 years ago | (#26255057)

Malware, no. Rootkits, yes.

Re:Were they made by Sony? (4, Insightful)

Opportunist (166417) | more than 5 years ago | (#26255435)

Care to explain how a rootkit could be considered anything but malware?

If they do nothing else, they compromise the security of a system.

Re:Were they made by Sony? (3, Funny)

stonedcat (80201) | more than 5 years ago | (#26255475)

Sony disagrees with you there pal.

I mean shit, you wouldn't want people putting DRM protected pictures on their digital photo-whatsits.

Re:Were they made by Sony? (2, Insightful)

Opportunist (166417) | more than 5 years ago | (#26255861)

And about every security researcher on this planet agrees with me. Now, who would you rather listen to when it comes to the security concerns of your computer?

Re:Were they made by Sony? (5, Insightful)

Lord_Sintra (923866) | more than 5 years ago | (#26256117)

Technically, kernel level debuggers can be classified as rootkits, as they use rootkit techniques to gain the level of access they need to be able to work.

Old news (4, Informative)

Afforess (1310263) | more than 5 years ago | (#26254859)

This is old news. It has happened before. Case and Point. [foxnews.com]

Re:Old news (2, Insightful)

wdsci (1204512) | more than 5 years ago | (#26254921)

Sure, but as long as it's up on /. I'm sure people who have one of these things will appreciate the warning. Just my opinion, but it's not all that bad to repeat similar stories every once in a while if it's the kind of thing that people are likely to get complacent about and/or forget about.

Packer (5, Informative)

micksam7 (1026240) | more than 5 years ago | (#26254993)

It's not a virus, it's just a exe packer they used.

Virus scanners have been labeling PE Packers as viruses for ages now, simply because a virus could be packed with them, and it's easier to pick out a packer header than a virus contained in it.

A lot of false positives are caused by this, and this looks like one of those cases based on what you linked. "Generic" "NSPack" "PossibleThreat" in the VirSCAN links give that away.

EXE/PE Packers simply compress a binary and decompress it on the fly, simply to save space or "load faster". Likely Walmart's programmers used one to keep the app's size small on a small device like that.

I've dealt with this situation in size-coding competitions before, and it's not fun. A lot of false positives are caused simply because a packer was used.

Fortunately, some of the better virus scaners actually unpack the software before checking it, or look for valid virus signatures instead of a simple Packer.

This basically is just a case of virus scan companies being lazy.

Re:Packer (2, Informative)

micksam7 (1026240) | more than 5 years ago | (#26255009)

those cases based on what you linked
-> those cases based on what the summary linked.

Slight target issue, appologies.

Re:Packer (5, Insightful)

poetmatt (793785) | more than 5 years ago | (#26255033)

I suppose it's no surprise then that Trend Micro (and likely Mcafee) went berserk while Avast did not? Although I think we had that controversy with the "clamAV vs Mcafee" virus scanning thing a year or two back.

Re:Packer (2, Informative)

blueg3 (192743) | more than 5 years ago | (#26255087)

Fortunately, some of the better virus scaners actually unpack the software before checking it, or look for valid virus signatures instead of a simple Packer.

Unfortunately, advanced packers can detect this and can unpack differently if they are being unpacked by a virus scanner. Part of the point of using a packer for a virus is its ability to disguise the signature, so looking for a signature without unpacking is pointless.

Re:Packer (0)

Anonymous Coward | more than 5 years ago | (#26255367)

following your logic, it seems it would be pointless either way. For advanced viruses, that is.

Re:Packer (-1, Troll)

Anonymous Coward | more than 5 years ago | (#26255101)

Speaking of packers

Donovan McNabb whipped out his large black schlong today and packed Tony Romo, T.O, Jerry Jones, and Wade Phillips fudge in a brutal assraping the likes of which has not been seen in decades. That's probably why Andy Reid wore a 4 day beard...he planned on giving you the old homeless man reacharound.

Good show, Dallas. Comedy gold.

Re:Packer (0, Offtopic)

Anonymous Coward | more than 5 years ago | (#26255217)

The Chargers' fudgepacking of the Broncos was equally enjoyable. Today was a good day for football.

Re:Packer (1)

winphreak (915766) | more than 5 years ago | (#26255117)

First, thanks for explaining the EXE packer use, I wasn't sure what legit uses there were for it.

From my experience, Avira hasn't flagged any packed EXEs unless there was an actual virus header in the file. Is there anyone with Avira who can prove me right or wrong?

Re:Packer (3, Interesting)

ianare (1132971) | more than 5 years ago | (#26255139)

I've had cases where executables created with py2exe were triggering virus scanners. A few users reported this to the virus scanning companies, and the problem went away the next time the virus databases were updated.

Re:Packer (4, Insightful)

Opportunist (166417) | more than 5 years ago | (#26255449)

Erh... not entirely true.

Yes, some virus scanners label anything that is runtime packed as malware, mostly because malware writers have been using packers as a cheap and easy disguise. But c'mon, that's so 2006.

Most AV suits today are able to unpack those runtime packers. I know of a suit that even sandboxes the program and executes it in a virtual machine to see if it results in some unpacked code.

Exepackers do NOT save you space, though! If anything, they're a memory bloat because more often than not you have the packed and the unpacked version of the program in ram, eating up space needlessly, so I stopped using them. Ram is precious, HD space isn't.

Re:Packer (3, Insightful)

Xtense (1075847) | more than 5 years ago | (#26256033)

> Ram is precious, HD space isn't.

Speed is precious too. Executable packers make sense when your .exe is something like 40MB, because your stupid project manager forced you to include a bunch of idiotic resources into it, something along the lines of bitmaps and uncompressed wave files (true story!). It may sound funny, but with current run-of-the-mill consumer CPUs it is actually faster to read a small file from the HD and uncompress a resource than to wait for the whole executable to load all this bloat. Still, we're talking about a speed difference of around 300-400ms (yes, i took these out from my ass, but those were results of our crappy testbed), so it's not something a typical consumer would notice, although pretty numbers are a good thing when your boss doesn't know shit about computers.

Re:Old news (3, Insightful)

lysergic.acid (845423) | more than 5 years ago | (#26255037)

if it's already known to be such a problem, then why does Microsoft continue to enable autoplay by default in Windows? it's annoying enough to have autoplay applications pop up on the screen every time you insert a CD, but with USB flash drives it's just plain reckless.

USB storage devices are today's floppy disks. people use them to move files between computers, and a single device may get plugged into dozens of computers. so a lot of trojans/malware now detect when a removable drive is connected to the computer and automatically infect the drive and create an autorun.inf file so that the next computer that the thumbdrive/digital camera/iPod/PSP/etc. gets connected to will be infected as well.

yet most Windows users seem completely oblivious to this danger. and with the proliferation of USB storage devices this problem will just get worst. at the very least users should be prompted before executing an autoplay program.

Re:Old news (3, Informative)

blueg3 (192743) | more than 5 years ago | (#26255075)

USB storage devices aren't actually eligible for AutoPlay. However, if the device presents itself as if it were, say, a CD-ROM, it is. This is how the U3 devices work, which present both a "CD" and a USB disk. The operating system can't really enforce policies on how USB devices present themselves to the system.

Also, my Vista machine, by default, does not actually run the AutoPlay executable without user confirmation.

Re:Old news (0, Offtopic)

trum4n (982031) | more than 5 years ago | (#26255227)

every flash drive i have, even my card SD reader, AutoPlays. And i the only person that dosetn run AntiVirus......yet has no computer problems? this is year 3 without a single problem. WinXP Pro, modified to get rid of auto updates and the DRM, never a problem. Hell, i download from LimeWire, and the internet in general, and have no problem. I dont open things from untrusted sources, and i use firefox with adblock.

Re:Old news (0)

Anonymous Coward | more than 5 years ago | (#26255317)

Why did I have to run out of mod points before I read this? I would've modded you down for your horrendous grammar and spelling. You're an idiot. An hero now, please, for the sake of our goddamn species.

Re:Old news (0)

Anonymous Coward | more than 5 years ago | (#26255497)

I am pretty sure English is not that guy's first language. Be nice =)

Re:Old news (4, Informative)

lysergic.acid (845423) | more than 5 years ago | (#26255295)

USB devices certainly are eligible for autoplay, they just prompt the user when the device is first connected by default. however, an autorun.inf file can still change the default action for that drive, so that when the user double clicks on the volume in My Computer, it will run the autplay program rather than open up the drive for browsing. and in that situation the user gets no warning.

and i'm not sure what U3 is, but i know that if a removable drive has a partition formated with CDFS, Windows will assume that it's a copy-protected CD and will allow autoplay without the user's consent regardless of your autoplay settings. i think this can be done with any USB drive, which in a way makes disabling autoplay or prompting the user useless. just one more way consumers get screwed by DRM i guess.

Re:Old news (2)

ConceptJunkie (24823) | more than 5 years ago | (#26255325)

That is indeed one of the stupidest features ever put in Windows, and there is no reliable way to disable it. I don't want autolaunch. I've never wanted it. I never will want it. And yet, I'm stuck with it for all eternity on every Windows machine I will ever use.

Re:Old news (2, Informative)

gparent (1242548) | more than 5 years ago | (#26255811)

That is indeed one of the stupidest features ever put in Windows, and there is no reliable way to disable it.

There's a registry hack on google.

Re:Old news (2, Informative)

jackharrer (972403) | more than 5 years ago | (#26255963)

Disable service called Shell Detection something. That will switch off Autoplay for everything globally. Easiest solution and saves you memory and load time.

Turning off AutoRun in Windows XP (5, Informative)

MitchAmes (1080977) | more than 5 years ago | (#26255831)

For Windows XP, SP2 ... Tweak UI allows disabling of AutoPlay either by device type (eg CD) or drive letter, and the setting is stored in the user registery under [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer], but Tweak UI only shows the settings if the user is an Administrator. However according to Microsoft's TechNet web-site, the NoDriveTypeAutoRun setting in HKCU is ignored if there is a corresponding entry in HKLM, so to disable AutoPlay on all drive types for all users: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer] "NoDriveTypeAutoRun"=dword:000000ff If AutoPlay is enabled, actions per content type can be set per user by right-clicking the drive in Explorer, then selecting the AutoPlay tab. The options are stored in [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\UserChosenExecuteHandlers]. The default (which is to prompt the user) can be restored by deleting the entries. Note that there doesn't appear to be an option for "data only". So far as I know, if AutoPlay is enabled (which it is by default), you can't disable AutoRun.inf. However, if the user is not an administrator, Explorer will prompt for an Administrator logon before doing anything.

Re:Old news (1)

Opportunist (166417) | more than 5 years ago | (#26255455)

Because of stupid users who're unable to open an Explorer and run programs. They want to slip in their CD and they want their game or program to start without having to worry about the system. I know at least two people who start their programs by opening and closing the CD try with the relevant CD inside. I know that because I routinely go there twice a month to harvest a sample of the latest trojans running rampart...

Re:Old news (1)

Macthorpe (960048) | more than 5 years ago | (#26255721)

Vista provides you with an Autoplay menu rather than just playing the thing, even if autorun.inf is present - if you don't want it to pop ever again, you can hit 'Do nothing' and 'Never ask me again'.

Re:Old news (1)

Mycroft_VIII (572950) | more than 5 years ago | (#26255843)

Not for everything, I've had to use restore twice because it auto-played that stupid player on some dvd's and scrambled my ability to watch a dvd with any other program (sometimes windows built in crap worked, but that's it).
    This is on vista64 ultimate.

Mycroft

Re:Old news (1)

hairyfeet (841228) | more than 5 years ago | (#26256083)

For those that use or work on Windows boxes I would suggest TuneUp Utilities 2007 [all4you.dk] which they give you for free at the link I just posted in the hopes you'll like it and buy the latest version. It gives you a ton of tools to customize and control Windows and works on 98-Vista. To turn off Autoplay on any drive you desire(you can keep CD/DVD autoplay or pick and choose with this tool) simply go to Tuneup Systemcontrol/Administration(4th one from the top)/Drives/Autoplay. This will let you turn on/off autoplay for individual CD/DVD drives, removable media, floppy, network drives, RAM drives, and unknown where you can choose by drive letter which to allow or disallow.

This is a great little free tool to have in your toolbox if you have to work on Windows machines. Pretty much everything you could want to change you can from this tool. It also has a nice process manager and reg editor built in. After the last round of these flash bugs hit I started disabling all autoplay from removable drives for all machines coming across my desk. I have to agree with you that the braintrust at MSFT that set autoplay as default for removable drives really should get fired. It is just too easy to pass bugs through autoplay. I'm just glad I stumbled across a tool that makes it trivial to disable it while leaving the autoplay for DVDs that my customers want.

Re:Old news (1, Informative)

Anonymous Coward | more than 5 years ago | (#26255125)

I believe the phrase is "case in point [thefreedictionary.com]".

Re:Old news (0)

Anonymous Coward | more than 5 years ago | (#26255587)

Dude, it's case in point, not and. I don't normally bother with that sort of thing, but I figure it will save you some embarrassment sooner or later.

Did you tell Walm*rt? (4, Informative)

plover (150551) | more than 5 years ago | (#26254861)

Write them a letter telling them what you found. Try this link http://walmartstores.com/contactus/feedback.aspx [walmartstores.com] to get to their headquarters, where something might get done about it. Include enough technical detail for them to replicate the problem, especially the model number or any other identifying information from the package.

If you want someone to care enough to write back, try to not sound accusatory or threaten to sue them. I'm sure they get enough of that on a daily basis.

Re:Did you tell Walm*rt? (2, Interesting)

Mashiki (184564) | more than 5 years ago | (#26255147)

This looks more like a false positive then anything, but unless Blowit actually submitted these files to all the antivirus vendors or went through one of the folks in the industry to fast-track it for checking there's no way to tell. There's a few places where this can be done(dslreports being my favorite), and send it off to the lab and see if it's a false positive or not and get an update pushed.

There's been innumerable cases in the past where files have been marked as virus/trojans due to similar encodings in the headers. While I took a look through the list as well, all of the decent av products didn't pick it up; while all of the poor ones did which simply tells me that they're using basic heuristics to look.

Could make an interesting photo! (0)

Anonymous Coward | more than 5 years ago | (#26254873)

Did you take a picture of it?

Flagged by shit anti-viruses (0, Interesting)

Anonymous Coward | more than 5 years ago | (#26254877)

Shit anti-viruses shitting their pants over the packer used and then pumping out a false positive (yes, in this case, I'm pointing at you too Avira!).

Re:Flagged by shit anti-viruses (2, Interesting)

Ethanol-fueled (1125189) | more than 5 years ago | (#26255313)

It's like pointing and yelling "terrorist!" at some random guy just because he's wearing a turban.

Why invest in more intelligent heuristics and R&D when you could simply invest in fancy popup bubbles and slowing the customer's computer to a crawl with nagware! That's what happens when marketing takes over, folks!

false positives? (5, Informative)

Anonymous Coward | more than 5 years ago | (#26254883)

Looks to me like they used some kind of packer to make the exe's small to not take up a lot of space on the device (understandably). A lot of scanners will automatically detect packing as malware and, due to the nature of how a packer works, trojan is the logical choice. I have a similar problem with anything I compile with delphi since a lot of malware is developed in delphi.

My 2 cents worth...

that's why USB autoplay is a bad idea (4, Interesting)

lysergic.acid (845423) | more than 5 years ago | (#26254899)

this time it seems like it was the vendor's screwup, which is very rare, but it's very easy for someone to have a clean USB stick, then plug it into an infected PC and unknowingly get a trojan written to the USB stick.

i recently had close call myself when i took my PSP to work and plugged it into a workstation (i had some utilities and e-books saved on the memory stick). when i got home and plugged the PSP into my desktop, i noticed the PSP memory stick was displayed with an odd icon in My Computer. so i looked at the root directory and found a suspicious .exe file that i hadn't placed there, which was also referenced by a new autorun.inf file.

with thumbdrives, external hard drives, portable media players, and other flash memory devices becoming increasingly common, i expect more and more malware writers will exploit them as an infection vector, especially as autoplay is usually enabled by default on Windows systems. the only reason i had autoplay disabled was because i found it annoying, and that's the only reason i lucked out.

Re:that's why USB autoplay is a bad idea (1)

Farmer Pete (1350093) | more than 5 years ago | (#26255025)

On my computers USB autoplay doesn't work automatically. Sure, it pops up the window asking me what I want to do, (and one of those options will be the autorun.inf choice), but I have to click to let it do it's thing. That's why any good infection will come from a flash drive with U3 software on it. I've got a nice flash drive that will steal all your passwords in about 10 seconds after it's plugged in. No popups. It's also not detected by most AV programs, and since it's a virtual CD, the most they can do is not let the exe(s) run.

Re:that's why USB autoplay is a bad idea (1)

lysergic.acid (845423) | more than 5 years ago | (#26255235)

well, there are several different ways autoplay can infect a machine. if you have it so that USB drives prompt you for the action to take each time, then you're protected from the autoplay program running upon drive attachment (in pre-Vista versions of Windows you can also hold [shift] when you insert a disc or attach a flash drive to disable autoplay.) but there's still the danger that the user might double-click on the attached device in My Computer, which will still execute the autoplay program if there is one.

i mean, most people are used to just double-clicking on a removable volume to browse its contents. i know i am. so even if you have autoplay set to prompt the user, if you try to open up the volume in this way you'll still be infected. so it's best to disable autoplay completely or get into the habit of right clicking on removable volumes to browse their contents rather than double-clicking or hitting enter, which will simply execute the default action.

of course, the situation isn't helped by the fact that there's no easy way [wikipedia.org] for users to change autplay behavior except to use TweakUI, which doesn't come with Windows.

Re:that's why USB autoplay is a bad idea (3, Interesting)

Beardo the Bearded (321478) | more than 5 years ago | (#26255077)

Funnily enough, there's a rumour going around that USB sticks were used to hack into the Pentagon:

http://catless.ncl.ac.uk/Risks/25.47.html#subj5 [ncl.ac.uk]

From the link:
If true, it was a simple but brilliantly effective method. Someone infected thumb drives with the WORM then dropped them around the Pentagon parking lot. The employees, picked them up, took them into their offices and plugged them into their office computers to determine the owner of the drive.

Re:that's why USB autoplay is a bad idea (1)

Jah-Wren Ryel (80510) | more than 5 years ago | (#26255535)

Funnily enough, there's a rumour going around that USB sticks were used to hack into the Pentagon:

I saw that in RISKS when it first came out and I'm surprised it hasn't been disputed yet. The reasons being that

(a) Dropping a bunch of infected media in the parking lot of the target is an old urban legend / joke among security pros

(b) The "hack" being referenced was of classified systems - and most secure sites disable the USB ports (and other media loaders like floppies and DVD drives) on all but a handful of reduced access machines plus their security officers should be beating their users over the head about the process for bringing data onto the secure systems - anti-virus scanning, even of COTS media and media the user creates himself, should be de rigueur.

(c) An attack like that is hard to target - so you got malware onto a classified network, other DoS, you can't really expect to get much out of it - it isn't terribly feasible to retrieve any data such malware might acquire.

So, while certainly possible, I think the rumor is unlikely to be true in that particular case.

Re:that's why USB autoplay is a bad idea (1)

lordSaurontheGreat (898628) | more than 5 years ago | (#26256011)

While it's a great idea,* USB drives aren't allowed to connect to secure assets. You can loose your clearance by just bringing a USB drive into a secure room.

*Great idea thinking as a white hat trying to break in to better defend, of course.

Re:that's why USB autoplay is a bad idea (2, Informative)

gzipped_tar (1151931) | more than 5 years ago | (#26255411)

Viruses exploiting the AutoPlay is nothing new and going wild. The other day I went to a printing shop with stuff I was going to print stored on a USB stick. I plugged it in the Windows box at the shop and it got infected. Three "folder" icons appeared in the Windows file manager but they were not directories -- they were trojan executables with the icons identical to the default one for directories. They all ended in .exe but the Windows file manager hid the extension part of filename by default so a careless use couldn't tell that from a directory. Also the "autorun.inf" was clearly modified to point to the malware (written in plain text).

I was not infected because my machine is a Linux one and I know these malware tricks well, but I can imagine how many customers of that shop are tricked to click on the trojan program.

Autorun is evil. It is so vulnerable to exploitation and of little use and it's enabled by default on Windows. Sadly, the GNOME team, who's goal is to copy every mistake done by Microsoft, choose to mount removable media automatically by default. What's their next quest? Certified malware-to-malware compatibility?

Luckily I ditched GNOME long ago.

Avast (1)

Republican Gun (1174953) | more than 5 years ago | (#26254903)

If avast didn't find it then....

Re:Avast (-1, Troll)

Anonymous Coward | more than 5 years ago | (#26254947)

If avast didn't find it then....

then what? is avast the holy grail of antivirus software or what? are you a moron?

inconclusive... (3, Insightful)

retchdog (1319261) | more than 5 years ago | (#26254905)

According to those links you provided, Trend Micro did not find anything wrong. (could be different settings, version, &c.) However... many of the positives were heuristic and, as further evidence of this, the identifications were not consistent.

Maybe it's just badly coded junk; nearly as bad, perhaps, but exactly what you'd expect from the Wal*Mart holiday special.

(insert obligatory comment about slashdot editors)

Not necessarily infected (5, Insightful)

arth1 (260657) | more than 5 years ago | (#26254909)

Keep in mind that it might be a false positive. Those happen, and sometimes you find the same false positive in more than one AV product when they simply copy from each other instead of creating their own definitions from the real thing.

An example is the game The Witcher, which triggered a false AV protection in ESET Nod32 antivirus. Then, suddenly, a couple of months later, a couple of other products also started seeing a virus here. There was none -- the packer that had been used by the game had also been used for a virus, and the signature was copied from NOD32 to some less successful AV programs without further ado.

So, don't just take it on face value that there is a virus -- especially not when none of the really big players with low false positive rates can detect it. It may be one, but don't blindly assume so.

Re:Not necessarily infected (1)

Farmer Pete (1350093) | more than 5 years ago | (#26255043)

I use AutoHotKey for some macroing. Someone must have used it to make a virus, cause Symantec started detecting it as a trojan. A few changes to the packaging and it's not detected again. False positives are really annoying.

And let's see.. (3, Insightful)

Anonymous Coward | more than 5 years ago | (#26254925)

Hmm... I see a bunch of AV's that are prone to give false positives give positives, while F-Secure, Kaspersky, Antivir, AVG, McAffee don't give anything off, Gee, could it possibly be that it's a false positive? [Hurr]OH I DUNNO[/Durr]

For those sarcastically challenged.

Yes, it's to 99.99% sure it's a false positive.

have I missed something? (-1, Offtopic)

glitch23 (557124) | more than 5 years ago | (#26254937)

With the Christmas holidays

uh, since when has there been more than one Christmas? Do you politically correct people know how stupid you sound to other, more sane, people? This could be modded as off-topic but then again I did reply to something within the submission text so is it really off-topic or did I just bring up something some people just don't want to talk about?

Re:have I missed something? (0)

Anonymous Coward | more than 5 years ago | (#26255003)

Actually, there are multiple Christmas holidays. Besides Christmas Day itself, how about Advent and Three Kings Day.

Plus, what Americans call "vacation" is referred to as "holidays" in Britain.

Do you ignorant people know how stupid you sound to other, more cosmopolitan people?

Re:have I missed something? (0)

gregbot9000 (1293772) | more than 5 years ago | (#26255505)

Do you know how biased you sound to other, more objective people when you act like being more cosmopolitan gives you some intrinsic value over others? Why don't you just come out and say "more civilized," or "more white," since you're making value judgments based on bias over reason anyways.

Re:have I missed something? (0)

Anonymous Coward | more than 5 years ago | (#26255661)

Fuck off, farmboy

Re:have I missed something? (0)

Anonymous Coward | more than 5 years ago | (#26255007)

More sane... or just saner?
The holidays are at Christmas, hence "Christmas Holidays". Sheesh!

Re:have I missed something? (1)

XDirtypunkX (1290358) | more than 5 years ago | (#26255017)

So people should change to take your beliefs into account? We could call it "the period surrounding Christmas", would that term be correct with your single-holiday politics? I'm sorry, we should be more sensitive to your needs.

Re:have I missed something? (2, Informative)

Jeremy Erwin (2054) | more than 5 years ago | (#26255071)

Christmas is a twelve day feast that starts on Dec 25, and doesn't let up until Epiphany.

Re:have I missed something? (1, Informative)

Anonymous Coward | more than 5 years ago | (#26255269)

Perhaps where you live, but for others Christmas starts on Dec 24.

more to come... (0, Flamebait)

FunkyELF (609131) | more than 5 years ago | (#26254981)

I didn't RTFA...whatever. Anyway, I'm sure this product came from China since it was sold a Walmart. I remember a while back people speculating about China's x86 compatible processor having undocumented opcodes for some alterior motive. This is all part of the China conspiracy.

Re:more to come... (0)

Anonymous Coward | more than 5 years ago | (#26254991)

I didn't RTFA...whatever. Anyway, I'm sure this product came from China since it was sold a Walmart. I remember a while back people speculating about China's x86 compatible processor having undocumented opcodes for some alterior motive. This is all part of the China conspiracy.

Did your bottle of eggnog come with a free tinfoil hat?

bottle? (0)

Anonymous Coward | more than 5 years ago | (#26255061)

I drink my eggnog straight out of the [redacted]

Re:more to come... (0)

Anonymous Coward | more than 5 years ago | (#26255083)

Maybe you need to get down with the Hooked on Phonics conspiracy; it's ulterior, not "alterior".

Re:more to come... (1)

plover (150551) | more than 5 years ago | (#26255155)

Maybe you need to get down with the Hooked on Phonics conspiracy; it's ulterior, not "alterior".

Depends on the news server. I used to claim to read alt.erior until my wife discovered I was just downloading the pictures.

Can't seem to run the virus on my mac (2, Funny)

exabrial (818005) | more than 5 years ago | (#26255095)

Sigh, still no cross-platform support for Malware!

Re:Can't seem to run the virus on my mac (3, Funny)

WTF Chuck (1369665) | more than 5 years ago | (#26255239)

And when the hell are the malware writers going to start open sourcing their code? They do everything they can to push their pre-compiled binaries onto people's machines, why not the source as well?

Whoa there laddy! (0)

Linker3000 (626634) | more than 5 years ago | (#26255099)

Liberal use of the words 'allegedly', 'might' and 'may' - and a few question marks - might have been appropriate here.

How many samples of the product have been tested, did you give the supplier a chance to verify your findings or consult an independent expert?

More importantly, how much have you set aside to cover the possible lawsuit for damaging Walmart's sales?

Re:Whoa there laddy! (1)

DeadPixels (1391907) | more than 5 years ago | (#26255149)

Yeah, I'd be hesitant of saying that the keychain definitely comes "preloaded with malware" when only ~30% of the scanners on Virscan are reporting "generic" possible malware.

Don't know whether to blame the editors or submitter for this one.

If you are dumb enough to buy china made (-1, Flamebait)

Anonymous Coward | more than 5 years ago | (#26255163)

products, then you deserve this. The chinese gov. as well as plain ol crackers are changing the designs to include loads of malware and spying on the west. The fact that ppl are dumb enough to buy this crap means that they deserve it.

Why are you so shocked? (4, Interesting)

OrangeTide (124937) | more than 5 years ago | (#26255197)

You think they buy virus scanner software in a Chinese factory? No, these guys cut every corner they can to meet those razor thin profit margins.

i think some are on purpose (1)

Z80a (971949) | more than 5 years ago | (#26255459)

i got my hands on a pink "MP5" thing (hate that mp4/mp5/mp6 crap), and it not only have a autorun.inf pointing to a virus as you expect, as it keeps rewriting the damn thing when i erase it, and it points to a file on the recycler, and the recycler of the device has a weird file on it its like the own MPthing firmware is actually writing the virus on it

do77 (-1, Troll)

Anonymous Coward | more than 5 years ago | (#26255629)

the hard drive to a losing battle; on an endeav`our it will be among problem; a few Things in GNNA (GAY NIGGER

You all know the words by now! SING ALONG! (-1, Offtopic)

Chris Tucker (302549) | more than 5 years ago | (#26255707)

"Botnets, spammer's botnets!
What kind of boxes are on botnets?

Compaq, HP, Dell and Sony, true!
Gateway, Packard Bell, maybe even Asus, too!

Are boxes, found on botnets. All running Windows, FOO!"

For myself, I'm currently running OSX, 10.5.6.

Why, yes. Yes I AM a smug bastard! Thanks for asking!

Re:You all know the words by now! SING ALONG! (-1, Troll)

Anonymous Coward | more than 5 years ago | (#26255753)

I hope you plan on switching operating systems if yours ever gains enough market share to become profitable to bother exploiting.

Note that none of the major commercial scanners... (2, Interesting)

jimicus (737525) | more than 5 years ago | (#26255977)

I note that virtually none of the major commercial scanners found anything.

I have trouble believing there's any significant malware that is generally known to the AV industry but is not detected by any of McAfee, Sophos, Symantec or Kaspersky. Particularly when the industry depends so heavily on scaring people into believing they are likely to become infected.

Re:Note that none of the major commercial scanners (2, Funny)

OneSmartFellow (716217) | more than 5 years ago | (#26256123)

I have trouble believing there's any significant malware that is generally known to the AV industry

You must be joking, they know about all the viruses, they write them.
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...