Here's some news from the ESET Virus Lab in Slovakia. One of our clients encountered an interesting infection within his network. The problem seemed to originate from the drivers CD that comes with the device he bought, the Habey BIS-6550HD, a fanless Atom-powered system, though we haven't seen the CD itself. Our analysis of the
Here's some news from the ESET Virus Lab in Slovakia. One of our clients encountered an interesting infection within his network.
The problem seemed to originate from the drivers CD that comes with the device he bought, the Habey BIS-6550HD, a fanless Atom-powered system, though we haven't seen the CD itself. Our analysis of the CD image supplied by the customer, which seems to date from July 2009, confirmed that it contains a set of files infected by 2 different viruses:
Altogether, 25 executables were infected. Furthermore, 15 HTM files were infected (detected by us Win32/Xorer.AW) by the insertion of an IFRAME redirect, originating with infection by the Xorer virus. .
Both of these infiltrations are prepending viruses. Win32/Xorer is also classified as an Autorun worm. Both are described in our virus encyclopaedia, though the descriptions don't refer to the exact same variants: one describes Win32/Viking.AU and the other describes Win32/Xorer.BU.
ESET has had proactive protection (generic signatures) for these threats since 18.5.2006 (Win32/Viking) and 6.5.2008 (Win32/Xorer). These families are, of course, well-known to other vendors too.
The customer tells us that the hardware manufacturer was notified about the problem, and he was advised to download the drivers from their web site. While the site is up, we've been unable to download the drivers ourselves: perhaps this means the company is currently checking their download site. If you have any concerns about hardware or software from Norco/Habey, we'd advise you to contact them directly as soon as possible, to check that any problems with their quality control have been corrected. According to the CD image analysed by the lab in Bratislava, these are the infected files.
Decoder card dirverswindowsbasic32-bitDPinst.exe
Decoder card dirverswindowsbasic64-bitDPinst.exe
Decoder card dirverswindowsevaluationBRCM_UI_Player.exe
Decoder card dirverswindowsevaluation32-bitDPinst.exe
Decoder card dirverswindowsevaluation64-bitDPinst.exe
Decoder card dirverswindowsfile32-bitDPinst.exe
Decoder card dirverswindowsfile64-bitDPinst.exe
TV tunerDriverWindows XP&Vista32bitsetup.exe
TV tunerDriverWindows XP&Vista64bitsetup.exe
David Harley CISSP FBCS CITP
Director of Malware Intelligence
ESET Threatblog (TinyURL with preview enabled): http://preview.tinyurl.com/esetblog
ESET Threatblog notifications on Twitter:
ESET White Papers Page: http://www.eset.com/download/whitepapers.php
Securing Our eCity community initiative: http://www.securingourecity.org/