Re: Trojan Found In New HDs Sold In Taiwan

[Juha-Matti Laurio <juha-matti.laurio () netti fi>]

Dude VanWinkle <dudevanwinkle () gmail com> kirjoitti: 
> On 11/13/07, Juha-Matti Laurio <juha-matti.laurio () netti fi> wrote:
> > The description of this malware (Kaspersky's writeup):
> >
> > Virus.Win32.AutoRun.ah
> > http://www.viruslist.com/en/viruses/encyclopedia?virusid=160221
> >
> > The payload is not so bad in corporate environment...
>
> The virus modifies values of the following system registry keys:
>
> [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
> DisableTaskMgr = 1
> [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
> NoFolderOptions = 1
>
> It also searches the hard disk partitions <snip> for files with an
> ".mp3" extension:
> <snip>
> These files wil then be deleted.

Thanks for provifing the summary to readers not visit the Viruslist.com URL.

Additionally, Trend has listed several malware names too, e.g.

BKDR_AGENT.ZY*, BKDR_BIFROSE.AZF, TROJ_MAC.A*, WORM_AUTORUN.FW, WORM_MAC.**

Reference:
http://blog.trendmicro.com/seagate-hard-disks-carry-malware/

including comments from Paul ;)

> OP referenced this description:
> >> Trojan
> >> horse viruses that automatically upload to Beijing Web sites
> >> anything the computer user saves on the hard disc,
>
>
> Which one is it?
>
> If it is the latter, then has anyone considered the fact that this
> might just be a free online backup service from Seagate :-P
>
> -JP

According to Trend post mentioned one of the targets is (was) hosted in Dallas, Texas.

- Juha-Matti
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.