Walmart Photo Keychain Comes Preloaded With Malware

Blowit writes "With the Christmas holidays just past and opening up your electronic presents may get you all excited, but not for a selected lot of people who got the Mercury 1.5" Digital Photo Frame from Walmart (or other stores). My father-in-law attached the device to his computer and his Trend Micro Anti-virus screamed that a virus is on the device. I scanned the one I have and AVAST did not find any virus ... So I went to Virscan.org to see which vendors found what, and the results are here and here." Update: 12/29 05:44 GMT by T : The joy is even more widespread; MojoKid points out that some larger digital photo frames have been delivered similarly infected this year, specifically Samsung's SPF-85H 8-inch digital photo frame, sold through Amazon among other vendors, which arrived with "W32.Sality.AE worm on the installation disc for Samsung Frame Manager XP Version 1.08, which is needed for using the SPF-85H as a USB monitor." Though Amazon was honest enough to issue an alert, that alert offers no reason to think that only Amazon's stock was affected.

Old news

[Afforess]

This is old news. It has happened before. Case and Point.

Re:Old news

[blueg3]

USB storage devices aren't actually eligible for AutoPlay. However, if the device presents itself as if it were, say, a CD-ROM, it is. This is how the U3 devices work, which present both a "CD" and a USB disk. The operating system can't really enforce policies on how USB devices present themselves to the system.

Also, my Vista machine, by default, does not actually run the AutoPlay executable without user confirmation.

Re:Old news

I believe the phrase is "case in point".

Re:Old news

[lysergic.acid]

USB devices certainly are eligible for autoplay, they just prompt the user when the device is first connected by default. however, an autorun.inf file can still change the default action for that drive, so that when the user double clicks on the volume in My Computer, it will run the autplay program rather than open up the drive for browsing. and in that situation the user gets no warning.

and i'm not sure what U3 is, but i know that if a removable drive has a partition formated with CDFS, Windows will assume that it's a copy-protected CD and will allow autoplay without the user's consent regardless of your autoplay settings. i think this can be done with any USB drive, which in a way makes disabling autoplay or prompting the user useless. just one more way consumers get screwed by DRM i guess.

Re:Old news

[gparent]

That is indeed one of the stupidest features ever put in Windows, and there is no reliable way to disable it.

There's a registry hack on google.

Re:Old news

[jackharrer]

Disable service called Shell Detection something. That will switch off Autoplay for everything globally. Easiest solution and saves you memory and load time.

Re:Old news

[Pentium100]

USB storage devices aren't actually eligible for AutoPlay. However, if the device presents itself as if it were, say, a CD-ROM, it is.

If the autorun.inf file is like this:

[autorun]
open=autorun.exe
shell=explore
Shell\open=&Open
Shell\open\Command=autorun.exe
Shell\explore=&Explore
Shell\explore\Command=autorun.exe

then autorun.exe will be executed when user doubleclicks on their USB device in "My Computer". If you don't believe me - try it out...

I think this will not work on Vista or if autorun.inf reading is disabled, but it will work on XP even if AutoPlay is disabled using group policy editor.

Re:Old news

[Pentium100]

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\autorun.inf]
@="@SYS:Does_Not_Exist"

This takes care of autorun.inf once and for all, you can even keep AutoPlay if you want it.

Re:Old news

[BikeHelmet]

Ahh, a fellow autoplay hater!

http://it.slashdot.org/comments.pl?sid=1074953&cid=26256453
^
My post on how to disable it in the driver. Haven't tested it on Vista, since I don't have Vista.

It's pretty reliably disabled on Win2k/XP, though. ;)

Did you tell Walm*rt?

[plover]

Write them a letter telling them what you found. Try this link http://walmartstores.com/contactus/feedback.aspx to get to their headquarters, where something might get done about it. Include enough technical detail for them to replicate the problem, especially the model number or any other identifying information from the package.

If you want someone to care enough to write back, try to not sound accusatory or threaten to sue them. I'm sure they get enough of that on a daily basis.

false positives?

Looks to me like they used some kind of packer to make the exe's small to not take up a lot of space on the device (understandably). A lot of scanners will automatically detect packing as malware and, due to the nature of how a packer works, trojan is the logical choice. I have a similar problem with anything I compile with delphi since a lot of malware is developed in delphi.

My 2 cents worth...

Packer

[micksam7]

It's not a virus, it's just a exe packer they used.

Virus scanners have been labeling PE Packers as viruses for ages now, simply because a virus could be packed with them, and it's easier to pick out a packer header than a virus contained in it.

A lot of false positives are caused by this, and this looks like one of those cases based on what you linked. "Generic" "NSPack" "PossibleThreat" in the VirSCAN links give that away.

EXE/PE Packers simply compress a binary and decompress it on the fly, simply to save space or "load faster". Likely Walmart's programmers used one to keep the app's size small on a small device like that.

I've dealt with this situation in size-coding competitions before, and it's not fun. A lot of false positives are caused simply because a packer was used.

Fortunately, some of the better virus scaners actually unpack the software before checking it, or look for valid virus signatures instead of a simple Packer.

This basically is just a case of virus scan companies being lazy.

Re:Packer

[micksam7]

those cases based on what you linked
-> those cases based on what the summary linked.

Slight target issue, appologies.

Re:Packer

[blueg3]

Fortunately, some of the better virus scaners actually unpack the software before checking it, or look for valid virus signatures instead of a simple Packer.

Unfortunately, advanced packers can detect this and can unpack differently if they are being unpacked by a virus scanner. Part of the point of using a packer for a virus is its ability to disguise the signature, so looking for a signature without unpacking is pointless.

Re:Packer

[happy_place]

...and not just an HD, but smaller exes are also faster sent over a network, or over an I/O bus like a USB device...

Re:Packer

[Thaelon]

Well, of course. If they didn't occasionally remind you of their existence, you might start to think you don't need them.

I haven't used a TSR virus scanner for years.

Through adequate user precautions, they're completely unnecessary.

With just a few simple precautions, even in Windows, you shouldn't need one either:

• Use Firefox exclusively - updating it when necessary.
• Use Thunderbird instead of Outlook Express
• Use only your own bookmarks to visit your bank's website and other popular sites.
• Run all remotely suspicious executables as a privilege starved user (such as one having no permissions other than read access to a single folder containing the suspect executable)
• Put your computer behind a physical firewall such as a router.
• Install using a slipstreamed Service Pack 2 or later install disc)
• Run an occasional free full system scan when convenient, note that you don't have to maintain updates or any similar stupidity since it's an online scan.

The only threats likely to get past these types of precautions - such as new malware only hours or days old - are unlikely to be stopped by a virus scanner that doesn't know what to look for either. So what have you got to gain by ditching TSR scanners? More system resources, possibly more money.

Re:Packer

[nabsltd]

I bought my wife a digital photo frame with no flash memory because it was cheaper.

It did have an SD slot, though, and I had to buy the card, but that still ended up cheaper, and that way it can display as many pictures as she wants...it's just limited to 2GB at a time (no SDHC).

It's also a whole lot easier, as she keeps the frame at work, and every so often swaps SD cards when she wants new (or different) pictures.

Re:have I missed something?

[Jeremy+Erwin]

Christmas is a twelve day feast that starts on Dec 25, and doesn't let up until Epiphany.

Re:have I missed something?

Perhaps where you live, but for others Christmas starts on Dec 24.

Re:that's why USB autoplay is a bad idea

[gzipped_tar]

Viruses exploiting the AutoPlay is nothing new and going wild. The other day I went to a printing shop with stuff I was going to print stored on a USB stick. I plugged it in the Windows box at the shop and it got infected. Three "folder" icons appeared in the Windows file manager but they were not directories -- they were trojan executables with the icons identical to the default one for directories. They all ended in .exe but the Windows file manager hid the extension part of filename by default so a careless use couldn't tell that from a directory. Also the "autorun.inf" was clearly modified to point to the malware (written in plain text).

I was not infected because my machine is a Linux one and I know these malware tricks well, but I can imagine how many customers of that shop are tricked to click on the trojan program.

Autorun is evil. It is so vulnerable to exploitation and of little use and it's enabled by default on Windows. Sadly, the GNOME team, who's goal is to copy every mistake done by Microsoft, choose to mount removable media automatically by default. What's their next quest? Certified malware-to-malware compatibility?

Luckily I ditched GNOME long ago.

Turning off AutoRun in Windows XP

[MitchAmes]

For Windows XP, SP2 ... Tweak UI allows disabling of AutoPlay either by device type (eg CD) or drive letter, and the setting is stored in the user registery under [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer], but Tweak UI only shows the settings if the user is an Administrator. However according to Microsoft's TechNet web-site, the NoDriveTypeAutoRun setting in HKCU is ignored if there is a corresponding entry in HKLM, so to disable AutoPlay on all drive types for all users: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer] "NoDriveTypeAutoRun"=dword:000000ff If AutoPlay is enabled, actions per content type can be set per user by right-clicking the drive in Explorer, then selecting the AutoPlay tab. The options are stored in [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\UserChosenExecuteHandlers]. The default (which is to prompt the user) can be restored by deleting the entries. Note that there doesn't appear to be an option for "data only". So far as I know, if AutoPlay is enabled (which it is by default), you can't disable AutoRun.inf. However, if the user is not an administrator, Explorer will prompt for an Administrator logon before doing anything.

Re:Turning off AutoRun in Windows XP

[BikeHelmet]

If you're really worried, you should disable it at the driver level rather than the explorer policy level.

For Win2k/XP (maybe Vista), open up regedit and find this key:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom]

REG_DWORD "Autorun" - set it to 0
Note: Must be logged on as an admin.

This disables autorun at the driver level, rather than explorer policy level. It may take a reboot to take effect. It should disable all autorun handlers/hooks, effectively turning drives into regular folders. (they just "open")

Autorun.inf files will not automatically run or prompt you to run - actually, on my Win2k box, the right-click autorun option completely vanished!

Note: It doesn't seem to "spin-up" CDs anymore on my computer, until I go into My Computer. It gives it a nasty delay loading that folder, but I figure this is a good thing. It means it isn't accessing the CD or device at all until I tell it to.

Such is the price of security, I suppose!

Second opinion - scanning another 1.5" photo frame

[AYeomans]

Here is the virscan.org scan of the DPFmate.exe file on a similar photo keyring. This scans almost clean, with the only warning being "Suspicious - DNAscan" from QuickHeal.
All sounds to me that the Walmart photo frame may be truly infected. Interesting to see if a re-scan gives the same results, after AV signature updates.
To identify my photo frame, it has USB vendor code 1908:1320, and gives dmesg output as

[ 1615.074173] scsi 2:0:0:0: CD-ROM buildwin Photo Frame 1.01 PQ: 0 ANSI: 2
[ 1615.131784] sr1: scsi3-mmc drive: 40x/40x writer cd/rw xa/form2 cdda tray
[ 1615.132336] sr 2:0:0:0: Attached scsi CD-ROM sr1
[ 1615.132793] sr 2:0:0:0: Attached scsi generic sg2 type 5
[ 1618.229611] ISO 9660 Extensions: Microsoft Joliet Level 3
[ 1618.243632] ISOFS: changing to secondary root

and has files on it

-r-xr-xr-x 1 a root 49 2007-12-13 17:07 Autorun.inf
-r-xr-xr-x 1 a root 135904 2008-07-25 11:46 DPFMate.exe
-r-xr-xr-x 1 a root 1344 2008-05-19 18:53 flashlib.dat
-r-xr-xr-x 1 a root 22044 2008-07-23 16:15 LanguageUnicode.ini
-r-xr-xr-x 1 a root 96281 2008-06-11 16:29 MacDPFmate.zip
-r-xr-xr-x 1 a root 758 2008-07-07 12:21 StartInfoUnicode.ini

Hey, I always stick odd USB devices into Linux first to check them out.
For background info, this photo frame does nothing when first connected. You can set it to "transfer" mode, at which point it emulates a USB CD-ROM of 304 Kbyte size. That CD image tries to autorun the DPFmate software to compress and transfer images to the device. The photos are *not* visible on the device through normal access, must have transferred them to a hidden area. I'd be interested if anyone has more info on the USB protocols used.