Trojan Found In New HDs Sold In Taiwan 344
GSGKT writes "About 1,800 brand new 300-GB or 500-GB external hard drives made for Maxtor in Thailand were found to have trojan horse malwares pre-installed (autorun.inf and ghost.pif). When the HD is in use, these forward information on the disk to two websites in Beijing, China: www.nice8.org or www.we168.org. The article implies that authorities believe the Chinese government is behind the trojans. A later article pins down the point of infection to a subcontractor company in China. A couple of months back the Register was reporting on pre-installed malware detected on Maxtor disks sold in the Netherlands. This earlier report was downplayed by a Seagate spokesman." The more recent Taipei Times article says that Seagate admits the problem on its Web site, but a search there turns up nothing.
It's times like this... (Score:2, Informative)
Obilgitory HOSTS comment: (Score:5, Informative)
127.0.0.1 www.nice8.org
127.0.0.1 www.we168.org
Comment removed (Score:4, Informative)
Seagate admits it (Score:3, Informative)
So this is not a hoax, after all.
Re:How would that even work (Score:3, Informative)
Autorun can definitely run exe's, that's its main purpose. That's how the installer automatically starts up when you insert a game or application CD. It's possible that the exe needs to be signed or something, but it's more likely that whatever program you were using simply "did it wrong".
Don't forget that you can also disable autorun permanently, rather than having to remember to hold shift every time you insert a disc.
Nope (Score:3, Informative)
Comment removed (Score:5, Informative)
Re:Seagate admits it (Score:3, Informative)
More Info on the Worm (Score:2, Informative)
Re:First off... (Score:5, Informative)
Works for USB drives and CD-ROMS.
[2007/10, from:
http://www.mydigitallife.info/2006/09/11/disable-auto-run-and-auto-play-of-u3-smart-drives-launchpad/%5D [mydigitallife.info]
1. Click Start -> Run.
2. Type RegEdit in the Open text box, then press ENTER.
3. In the Registry Editor, locate and click the following registry key:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CDRom
4. Modify the value of the Autorun to 0 (zero) so that CD-ROMs and Audio CDs do not run and start automatically when inserted.
5. Next navigate to the following registry subkey:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
6. Modify the value of the NoDriveTypeAutoRun entry to 0xb5 value to turn off the AutoRun feature for CD-ROMs by right-click NoDriveTypeAutoRun and then click Modify to type B5 in the Value data box. Select Hexadecimal, and then click OK.
7. Quit Registry Editor.
8. Restart your computer.
Re:First off... (Score:4, Informative)
-nB
Re:Nope (Score:5, Informative)
gpedit.msc
It's a windows GUI tool.
Computer Configuration > Click "Administrative Templates" > Click "System" > Double-Click "Turn off Autoplay", set it for "All Drives" and click the "apply" button.
Re:Obilgitory HOSTS comment: (Score:1, Informative)
Domain Name:NICE8.ORG
Created On:11-May-2007 07:20:24 UTC
Last Updated On:27-Sep-2007 05:57:07 UTC
Expiration Date:11-May-2008 07:20:24 UTC
Sponsoring Registrar:Xin Net Technology Corporation (R118-LROR)
Status:OK
Registrant ID:JHV8DUH7W9TIL
Registrant Name:ga ga
Registrant Organization:gaga
Registrant Street1:gagaga
Registrant Street2:
Registrant Street3:
Registrant City:gaga
Registrant State/Province:Beijing
Registrant Postal Code:126631
Registrant Country:CN
Registrant Phone:+86.2164729393
Registrant Phone Ext.:
Registrant FAX:+86.2164660456
Registrant FAX Ext.:
Registrant Email:safsafsa@ca.ca
Admin ID:JHV8DUHMSOOFB
Admin Name:ga ga
Admin Organization:gaga
Admin Street1:gagaga
Admin Street2:
Admin Street3:
Admin City:gaga
Admin State/Province:Beijing
Admin Postal Code:126631
Admin Country:CN
Admin Phone:+86.68492333
Admin Phone Ext.:
Admin FAX:+86.4660456
Admin FAX Ext.:
Admin Email:safsafsa@ca.ca
Tech ID:JHV8DUHO9XXZP
Tech Name:ga ga
Tech Organization:gaga
Tech Street1:gagaga
Tech Street2:
Tech Street3:
Tech City:gaga
Tech State/Province:Beijing
Tech Postal Code:126631
Tech Country:CN
Tech Phone:+86.68492333
Tech Phone Ext.:
Tech FAX:+86.4660456
Tech FAX Ext.:
Tech Email:safsafsa@ca.ca
Name Server:NS2.XINNETDNS.COM
Name Server:NS2.XINNET.CN
I'm assuming "ga ga" is fake; XINNet is not accessible without a Chinese proxy. The Registrant's Phone number: +86.2164729393 links to the contact information to http://www.sogle.com/ [sogle.com] a partner of http://68l.com/ [68l.com] which both appear to be web hosting companies.
So if this is one big Chinese government conspiracy, it seems to be run through a number of companies, including dedicated hosts, not just hardware manufacturers.
Doesn't work for XP Home (Score:2, Informative)
Not for XP Home or other crippled MS products...
Technet says 0xff not 0xb5 (Score:1, Informative)
from http://www.microsoft.com/technet/security/guidance/serversecurity/tcg/tcgch10n.mspx [microsoft.com]
and http://www.microsoft.com/technet/security/prodtech/windowsxp/secwinxp/xpsgch03.mspx [microsoft.com]
just FYI
Re:Troll Alert... (Score:3, Informative)
Re:Threadjack: WTF? (Score:3, Informative)
Then the malware already automatically gets run.
Re:Troll Alert... (Score:3, Informative)
That won't work.
msconfig is a diagnostic tool for disabling programs which are loaded at boot time. It has nothing to do with autoloading CDs.
There is no built-in autostart ui. If you're scared of the registry, you can download TweakUI, but you'll still need to disable autostart on a drive-by-drive basis.