McDonalds Japan Distributes Infected MP3 Players

Tamas Feher from Hungary writes, "Finnish antivirus vendor F-Secure reports that Mcdonalds in Japan distributed 10,000 infected MP3 players as customer prizes in a promotion with Coca-Cola. The USB sticks contained 10 free songs plus the QQPass Trojan, which is intended to steal login data. F-Secure reports that they have heard, but cannot confirm, that simply plugging the USB device into a Windows PC is sufficient to get infected. Investigation is still going on, but the mishap apparently happened in Hong Kong. Patrons nationwide are urged to quickly return their M-logoed sticks for replacement or call a 24hr hotline, if unsure." Here is the Mcdonalds Japan announcement (in Japanese, but Babelfish at Altavista handles it well).

Re:I'm lovin' it!

[antifoidulus]

They have all sorts of crazy fast food there, it's amazingly creative. The McDonalds in Japan are better than the ones in the states which in turn are better than the ones in Europe where I am right now(though they don't have infected mp3 players...yet).

Actually, I would have to say that fast food(and ramen shops where 500 yen can get you a huge bowl of awesome ramen) is one of the things I miss most about living in Japan. Though the beer here in Germany does help to compensate :P

Re:Automatic infection may be possible

[Darth_brooks]

Windows will read an autorun.inf file on the memory sticks the same way it does for CD's/DVD's, but it will only perform certain actions if it decides the device is removable media. You can test this by creating an autorun.inf containing the full list of autorun commands on a memory stick. Harmless commands (such as ICON=SOMEICON.ICO) will be run, but potentially dangerous commands (such as Shellexec=, Open=, etc.) are supposed to be ignored. My vauge memory tells me that Microsoft initially stated that an Autorun.inf would be completely ignored on a removable device, (which is what lead me to start tinkering with the file in the first place) but I've got no real proof of that.

It seemed funny that such a simple script with such dangerous potential would be called in the same way. Is it really that hard to have the OS treat removable devices in a completely different manner (rather than the apparent "eh, just hack it together and make it work" that's there now) than read-only devices?

I always thought it'd be fun to have a USB key that autoran a batch file or VBS script that copied C:\Documents and Settings\* or C:\My Music\* to my thumb drive. "Plug and Play" turned into "Plug and take." Or, if I wasn't feeling malicious, having my thumb drive install a custom MSI of a few useful apps such as pre-configured firefox and putty on public terminals (thus saving me those precious, precious four whole steps....God I'm lazy.) But it didn't take long for me to figure out that the official answer to that was a resounding "no."

I'm very curious how the autorun is being exploited. Is it bluffing the OS into thinking the USB drive is really a CD/DVD, or is there something else afoot here?

Re:Automatic infection may be possible

Autoplay doesn't seem to happen for me, after disabling "Enable Autoplay for removable drives" via Tweakui (Tweakui / My Computer / Autoplay / Types).