Here's some news from the ESET Virus Lab in Slovakia. One of our clients encountered an interesting infection within his network.
The problem seemed to originate from the drivers CD that comes with the device he bought, the Habey BIS-6550HD, a fanless Atom-powered system, though we haven't seen the CD itself. Our analysis of the CD image supplied by the customer, which seems to date from July 2009, confirmed that it contains a set of files infected by 2 different viruses:
- Win32/Viking.CH
- Win32/Xorer.NAJ
Altogether, 25 executables were infected. Furthermore, 15 HTM files were infected (detected by us Win32/Xorer.AW) by the insertion of an IFRAME redirect, originating with infection by the Xorer virus. .
Both of these infiltrations are prepending viruses. Win32/Xorer is also classified as an Autorun worm. Both are described in our virus encyclopaedia, though the descriptions don't refer to the exact same variants: one describes Win32/Viking.AU and the other describes Win32/Xorer.BU.
ESET has had proactive protection (generic signatures) for these threats since 18.5.2006 (Win32/Viking) and 6.5.2008 (Win32/Xorer). These families are, of course, well-known to other vendors too.
The customer tells us that the hardware manufacturer was notified about the problem, and he was advised to download the drivers from their web site. While the site is up, we've been unable to download the drivers ourselves: perhaps this means the company is currently checking their download site. If you have any concerns about hardware or software from Norco/Habey, we'd advise you to contact them directly as soon as possible, to check that any problems with their quality control have been corrected. According to the CD image analysed by the lab in Bratislava, these are the infected files.
Infected EXEs:
915_945_965infSetup.exe
ALC8882k_xpSetup.exe
ALC8882k_xpWDMAlcmtr.exe
ALC8882k_xpWDMSoundMan.exe
Atominf_setup.exe
AtomHDMI_VGAUtilitiesIEGDGUI.exe
AtomHDMI_VGAUtilitiesSetup.exe
AtomwinvistaSetup.exe
AtomwinxpSetup.exe
Decoder card dirverswindowsbasic32-bitDPinst.exe
Decoder card dirverswindowsbasic64-bitDPinst.exe
Decoder card dirverswindowsevaluationBRCM_UI_Player.exe
Decoder card dirverswindowsevaluation32-bitDPinst.exe
Decoder card dirverswindowsevaluation64-bitDPinst.exe
Decoder card dirverswindowsfile32-bitDPinst.exe
Decoder card dirverswindowsfile64-bitDPinst.exe
DirectX9DXSETUP.exe
HDD-patch48-bit LBA.exe
LANvistasetup.exe
LANwin2k_xpsetup.exe
TV tunerDriverWindows XP&Vista32bitsetup.exe
TV tunerDriverWindows XP&Vista64bitsetup.exe
TV-OUTtestAPP.EXE
USB2.0Intel9xsetup.exe
VGAwin2k_xpVGAsetup.exe
Infected HTMs:
LANvistaREADMEArabicsetup.html
LANvistaREADMEEnglishsetup.html
LANvistaREADMEFrenchsetup.html
LANvistaREADMEGermansetup.html
LANvistaREADMEHebrewsetup.html
LANvistaREADMEHungariansetup.html
LANvistaREADMEItaliansetup.html
LANvistaREADMEJapanesesetup.html
LANvistaREADMEKoreansetup.html
LANvistaREADMEPortuguesesetup.html
LANvistaREADMESimplified_Chinesesetup.html
LANvistaREADMESpanishsetup.html
LANvistaREADMETraditional_Chinesesetup.html
LANvistaREADMETurkishsetup.html
s3132BASEreadme.htm
David Harley CISSP FBCS CITP
Director of Malware Intelligence
ESET Threatblog (TinyURL with preview enabled): http://preview.tinyurl.com/esetblog
ESET Threatblog notifications on Twitter:
http://twitter.com/esetresearch
http://twitter.com/ESETblog)
ESET White Papers Page: http://www.eset.com/download/whitepapers.php
Securing Our eCity community initiative: http://www.securingourecity.org/
Also blogging at:
http://smallbluegreenblog.wordpress.com/
http://avien.net/blog
http://blogs.securiteam.com
http://blog.isc2.org/
http://macvirus.com/
