IBM USB Drives Contain Malware
Received: by [REDACTED] with SMTP id d15cs48535vcn; Thu, 20 May 2010 23:34:04 -0700 (PDT)
Received: by [REDACTED] with SMTP id f31mr975791waf.195.1274423644008; Thu, 20 May 2010 23:34:04 -0700 (PDT)
Received: from emx02.extremedns.net (emx02.extremedns.net [220.127.116.11])
by mx.google.com with ESMTP id k5si1702222waf.86.2010.05.20.23.34.00;
Thu, 20 May 2010 23:34:02 -0700 (PDT)
Received-SPF: neutral (google.com: 18.104.22.168 is neither permitted
nor denied by best guess record for domain of
Authentication-Results: mx.google.com; spf=neutral (google.com:
22.214.171.124 is neither permitted nor denied by best guess record for
domain of email@example.com)
Received: from EXC04.extremedns.net (126.96.36.199) by emx02.extremedns.net
(188.8.131.52) with Microsoft SMTP Server (TLS) id 14.0.694.0; Fri, 21 May
2010 16:33:53 +1000
Received: from EXC04.extremedns.net ([fe80::755b:17ce:21aa:a1e7]) by
exc04.extremedns.net ([fe80::755b:17ce:21aa:a1e7%14]) with mapi; Fri, 21 May
2010 16:34:45 +1000
From: AusCERT (firstname.lastname@example.org)
To: AusCERT (email@example.com)
Subject: AusCERT Important Information - Malware on IBM USB
Thread-Topic: AusCERT Important Information - Malware on IBM USB
Date: Fri, 21 May 2010 06:32:11 +0000
Accept-Language: en-AU, en-US
Content-Type: multipart/alternative; boundary="_000_DD6937D5F83D404E8B4851E00EEC6F8004A049CCexc04extremedns_"
Return-Path: firstname.lastname@example.org --_000_DD6937D5F83D404E8B4851E00EEC6F8004A049CCexc04extremedns_
Content-Type: text/plain; charset="us-ascii"
Dear AusCERT Delegate
At the AusCERT conference this week, you may have collected a complimentary
USB key from the IBM booth. Unfortunately we have discovered that some of
these USB keys contained malware and we suspect that all USB keys may be
The malware is detected by the majority of current Anti Virus products [as
at 20/05/2010] and been known since 2008.
The malware is known by a number of names and is contained in the setup.exe
and autorun.ini files. It is spread when the infected USB device is inserted
into a Microsoft Windows workstation or server whereby the setup.exe and
autorun.ini files run automatically.
Please do not use the USB key, and we ask that you return it to IBM at Reply
Paid 120, PO Box 400, West Pennant Hills 2120.
If you have inserted the USB device into your Microsoft Windows machine, we
suggest that you contact your IT administrator for assessment, remediation
and removal, or you may want to take the precaution of performing the steps
Steps to remove the malware:
1. Turn off System Restore
[StartProgramsAccessoriesSystem toolsSystem Restore]
Turning off System Restore will enable your anti virus software to clean
the virus from both your current system and any restore points that may
have become infected.
2. Update your antivirus tool with the latest antivirus definitions
[available from your anti virus vendor of choice].
3. Perform a full system scan with your AV tool to confirm the existence
of the infection. If malware is detected allow your AV to complete a clean.
4. On completion of this process, complete a second scan using a different
anti virus product. Free anti virus products are available from known
companies such as AVG, Avira, Panda Software, or Trend Micro.
5. Once a second scan has been performed and it is determined that your
workstation is free of any known malware, as a precautionary measure we
recommended that you perform a back up of all vital files on your workstation
and perform a full re-installation of the operating system. This process
will remove the risk of other unknown or undetected malware that may be
present on your machine.
If you experience difficulties with the above steps, please contact the IBM
Security Operations Team at email@example.com.
An IBM technical support person will contact you by phone to assist you.
We regret any inconvenience that may have been caused.