As soon as I read about U3, I thought that companies would start banning at least U3 drives, and probably all thumb drives just to be safe. The Wikipedia article is not a bad start - http://en.wikipedia.org/wiki/U3 and contains the moderately scary remark
Leaves Traces on Host PC - The U3 platform sometimes leaves behind files on a user's PC. This mainly occurs when the drive is improperly removed. The architecture is: (per Wikipedia) U3 smart drives are traditional USB flash drives with a specific setup: Disk Management shows two drives, one drive has a CDFS partition with the autorun and LaunchPad, and the other drive has a FAT partition that includes a hidden SYSTEM folder with your installed applications. The potential for replacing the U3 LaunchPad with something nasty is rather obvious. One could envision a "U3 virus" passing just like an old-style floppy virus. Disabling U3 autorun is by disabling CD autorun via the registry - http://support.microsoft.com/?id=155217 A quick Google search got me a number of items by people who've changed the content of the CDFS. Things called "USB Hacksaw" and "USB Switchblade" appear to be close to the class of nasties I thought of. While the u3.com site says "The U3 system software is pre-loaded to USB devices by the hardware manufacturer only", that doesn't entirely make me comfortable. It sounds to me like the trick could be replicated with a bit-by-bit copier onto a generic USB. There's a Securiteam blog entry at http://blogs.securiteam.com/index.php/archives/614 from gadi that's worth reading. I think that the claim "thumbdrives don't infect PCs" is incorrect, given the Hacksaw and Switchblade malware already exist. Henry Troup Watchfire Corporation [EMAIL PROTECTED] -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Murda Mcloud Sent: Wednesday, December 13, 2006 7:03 PM To: [EMAIL PROTECTED]; [email protected] Subject: RE: strange new virus Just found this to do with U3 technology- I wonder if that could have something to do with the problems? http://www.sandisk.com/Retail/Default.aspx?CatID=1450#Q5 -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, December 13, 2006 9:05 AM To: [email protected] Subject: strange new virus VAR in Honolulu has a previously squeaky clean XP system now infected with sonmething strange: Symptom list: 1) All desktop icons disappeared 2) When recreated by hand, some days later they all were rendered un-runnable because they had all been renamed with an additional .lnk suffix. 3) On every boot, after the XP splash screen, but before User Login (2 profiles), there is a 4" x 5" screen with an Exit and an OK button. The screen shows a black background which overlays the XP blue login screen; it looks like a VB screen. The name in the top bar changes on every boot, such as c:\windows\system32\mup.sys, or i20mgr.sys, etc. This full file name is preceded by usually 8 small box characters. Inside the white body of the screen there are a few special characters: [\} and a character that looks like an inverse equal sign, standing vertically. 4) CTRL-ALT-DEL at this point shows you flashes of blue underneath 5) The Outlook .PST file is missing 6) My antivirus and all other SYSTRAY items are gone 7) IE6 or IE7 won't connect to home page, instead Internet Properties opwns on the General Tab 8)Trend Micro PC-Cillin 2006 sees nothing, same with their Housecall and WinSIC, or SYSCLEAN utilities. 9) MS RootkitRevealer finds nothing. Infection route: while it could have been web browsing, or email, I really think it came from an odd incident when a client came in with CAD files to print on a thumb drive. Trend says thumbdrives don't infect PCs, though I've looked at the U3.com software available for a SanDisk Cruzer (and several other makes)and it seems like there's a CPU in it, because you can scan a new PC for viruses using Avast from the thumb drive. AT one point they sent me a tool to fix the associations with applications, so that now Start Programs run most apps. However, I've lost my email. This case has been open at Trend for more than a month, and now they are telling me it is not a virus and don't worry. Not only that, when I call Trend Tech support, they hang up on me repeatedly, or put my call back in the queue, or promise to work the next day with me, and then don't. They want me to go away, but I think this is a serious threat. CAN a thumbdrive infect a system? Has anyone seen anything like this, or know how to respond to it and recover my email (besides backup)? Thanks for any leads. That can't be correct, is it? ------------------------------------------------------------------------ --- ------------------------------------------------------------------------ --- ------------------------------------------------------------------------ --- ------------------------------------------------------------------------ --- --------------------------------------------------------------------------- ---------------------------------------------------------------------------
