USB stick MP3 Player labled Nextar (apparent cross infection – PC / Mobile PC)

A USB stick MP3 Player labled Nextar (apparent cross infection – PC / Mobile PC)

Funny thing happened when plugging in (to desktop pc) a USB stick MP3 Player labled Nextar (cross infection) from a friend. Read on.

Possibly a black market relabled fake and there are apparent even criminal “clone” or “phisher” or “pharmer” sites around Suddenly, an apparent “cross infection” ocuured in the Pocket PC Windows Mobile – a mass emailing worm ! Isn’t that fun (sarcasm).

eMusic – Wikipedia, the free encyclopedia eMusic is an online music store that operates by subscription. It is headquartered in New York City and owned by Dimensional Associates, LLC. …

Press Releases – Mi5 Networks Secure Web Gateway Feb 2, 2009 … Detailed reports enable eMusic to quickly identify infected machines on the network, understand the specific types of malware involved and …  

Apparent Open Source Project: eMusic/J 0.25  

Uh Oh…….

Name: Adware.Win32.eMusic Toolbar


FILES Detected…. (apparently instantly – inserting USB MP3 Player)

DESKTOP: (windows xp home)



#Trys to connect to “malicious host” / apparent back door threat ? Blocked. USB Stick removed. Still attempts to connect after PC restarted or using media player(s). Seems a registry hook possible ? Scanned, not found. Looking manually.  


Stick in and out (on desktop). The continuing attempt to re-connect to “” indicates either a registry hook of some sort or worst is a rootkit as not visual in the registry. See the Sony Rootkit nightmare.

#SCANNED – FOUND: MOBILE PC (Windows CE 3.0 / Pocket PC 2002)

Installs apparent mass emailing worm as possible part of “cross infection”:

#FlashMates_(v1[1].0.4)_Setup.exe / which is identified as Email-Worm.Win32.Apbost!IK [Ikarus antivirus = IK]

SEE Analyzing the Crossover Virus: The First PC to Windows Handheld Cross-infector

NOTES: Adding more if found

The Exercise ? Watch out you didn’t get the real product



a-squared Anti-Malware v.
(C) 2003-2009 Emsi Software GmbH –
ID   Object
0    C:\Program Files\Uniblue\System Tweaker\System Tweaker.exe
1    C:\Documents and Settings\cbgerry\MyDocuments\POCKETPC-DOXX\FlashMates_(v1[1].0.4)_Setup.exe
NOTES: The “Email-Worm.Win32.Apbost!IK” is the worm and file name is “FlashMates_(v1[1].0.4)_Setup.exe”.
(location “POCKETPC-DOXX” caught in dummy folder. It takes two to play games. IK is symbol for Ikarus antivirus)
New start up after quarantine and emusic connect attempt blocked again (antimalware program). A registry hook (originally suspected as cause) generally is involved with one entity (unless multiple), here media players, that is easily detected and  deleted. This did show files in two media players (with premium features) and now has jumped to Windows Media Player – which symptomology is as a self replicating worm does, but apparently here – as indeed a rootkit does – is as like a matrix that continually can give various commands (more powerful than a trojan and can continually install more software) and is best best guess of the symptoms experienced. The activity shows the “matrix” (several) commands severally or mutiple times after deletions which is almost as the self replicating worm does when deleted and is reinstalled elsewhere but finally gets deleted by antivirus. This indicates the rootkit activity as quite posible and the infection.
Visit: PDA Mobile Cafe Homepage
Mobile Portal:
Home PDA Portal:
NEW: BlueCollarPC.Org – Mobile Portal


One Response to “USB stick MP3 Player labled Nextar (apparent cross infection – PC / Mobile PC)”

  1. AmatuerForensics-Mobile: USB stick MP3 Player (apparent cross infection) | BlueCollarPC Webs Blog @Word Press! Says:

    […] Player labled Nextar (apparent cross infection – PC / Mobile PC) July 24, 2009 by pdamobilecafe…  A USB stick MP3 Player labled Nextar (apparent cross infection – PC / Mobile […]

Comments are closed.

%d bloggers like this: