USB stick MP3 Player labled Nextar (apparent cross infection – PC / Mobile PC)

A USB stick MP3 Player labled Nextar (apparent cross infection – PC / Mobile PC)

Funny thing happened when plugging in (to desktop pc) a USB stick MP3 Player labled Nextar (cross infection) from a friend. Read on.

Possibly a black market relabled fake and there are apparent even criminal “clone” or “phisher” or “pharmer” sites around emusic.com. Suddenly, an apparent “cross infection” ocuured in the Pocket PC Windows Mobile – a mass emailing worm ! Isn’t that fun (sarcasm).

eMusic – Wikipedia, the free encyclopedia eMusic is an online music store that operates by subscription. It is headquartered in New York City and owned by Dimensional Associates, LLC. … http://en.wikipedia.org/wiki/EMusic

Press Releases – Mi5 Networks Secure Web Gateway Feb 2, 2009 … Detailed reports enable eMusic to quickly identify infected machines on the network, understand the specific types of malware involved and … http://www.mi5networks.com/news/press/2009_0202-eMusic.com-Selects-Mi5-Networks-in-Favor-of-Solo-Web-Security-Products.htm  

Apparent Open Source Project: eMusic/J 0.25 http://mac.softpedia.com/get/Multimedia/eMusic-J.shtml  

Uh Oh…….

Name: Adware.Win32.eMusic Toolbar http://www.emsisoft.com/en/malware/?Adware.Win32.eMusic+Toolbar

FORENSICS:

FILES Detected…. (apparently instantly – inserting USB MP3 Player)

DESKTOP: (windows xp home)

#emusic.oem

#emusiclogo.gif

#Trys to connect to “malicious host” emusic.com / apparent back door threat ? Blocked. USB Stick removed. Still attempts to connect after PC restarted or using media player(s). Seems a registry hook possible ? Scanned, not found. Looking manually.  

SYMPTOMOLGY:

Stick in and out (on desktop). The continuing attempt to re-connect to “emusic.com” indicates either a registry hook of some sort or worst is a rootkit as not visual in the registry. See the Sony Rootkit nightmare.

#SCANNED – FOUND: MOBILE PC (Windows CE 3.0 / Pocket PC 2002)

Installs apparent mass emailing worm as possible part of “cross infection”:

#FlashMates_(v1[1].0.4)_Setup.exe / which is identified as Email-Worm.Win32.Apbost!IK [Ikarus antivirus = IK]

SEE Analyzing the Crossover Virus: The First PC to Windows Handheld Cross-infector http://www.informit.com/articles/article.asp?p=458169&rl=1

NOTES: Adding more if found

The Exercise ? Watch out you didn’t get the real product

—-

SCAN RESULTS:

SCAN RESULTS….
 
a-squared Anti-Malware v. 4.5.0.19
(C) 2003-2009 Emsi Software GmbH – www.emsisoft.com
 
ID   Object
0    C:\Program Files\Uniblue\System Tweaker\System Tweaker.exe
Backdoor.Win32.Wootbot!IK
1    C:\Documents and Settings\cbgerry\MyDocuments\POCKETPC-DOXX\FlashMates_(v1[1].0.4)_Setup.exe
Email-Worm.Win32.Apbost!IK
 
NOTES: The “Email-Worm.Win32.Apbost!IK” is the worm and file name is “FlashMates_(v1[1].0.4)_Setup.exe”.
(location “POCKETPC-DOXX” caught in dummy folder. It takes two to play games. IK is symbol for Ikarus antivirus)
 
—-
NOTES: ……
New start up after quarantine and emusic connect attempt blocked again (antimalware program). A registry hook (originally suspected as cause) generally is involved with one entity (unless multiple), here media players, that is easily detected and  deleted. This did show files in two media players (with premium features) and now has jumped to Windows Media Player – which symptomology is as a self replicating worm does, but apparently here – as indeed a rootkit does – is as like a matrix that continually can give various commands (more powerful than a trojan and can continually install more software) and is best best guess of the symptoms experienced. The activity shows the “matrix” (several) commands severally or mutiple times after deletions which is almost as the self replicating worm does when deleted and is reinstalled elsewhere but finally gets deleted by antivirus. This indicates the rootkit activity as quite posible and the infection.
 
Visit: PDA Mobile Cafe Homepage
http://www.pdamobilecafe.bluecollarpc.net/index.html
Mobile Portal: http://mysite.verizon.net/gerald_309/id16.html
Home PDA Portal: http://www.thebeetlesusa.com/Beetles.html
Forums: http://pdamobilecafe.freeforums.org/
NEW: BlueCollarPC.Org – Mobile Portal 
http://www.bluecollarpc.org/BCPCOrg-Mobile.html

Advertisements

One Response to “USB stick MP3 Player labled Nextar (apparent cross infection – PC / Mobile PC)”

  1. AmatuerForensics-Mobile: USB stick MP3 Player (apparent cross infection) | BlueCollarPC Webs Blog @Word Press! Says:

    […] Player labled Nextar (apparent cross infection – PC / Mobile PC) July 24, 2009 by pdamobilecafe https://pdamobilecafe.wordpress.com/2009/07/24/usb-stick-mp3-player-labled-nextar-apparent-cross-infe…  A USB stick MP3 Player labled Nextar (apparent cross infection – PC / Mobile […]

Comments are closed.


%d bloggers like this: