IBM USB Drives Contain Malware

	Delivered-To: [REDACTED]
	Received: by [REDACTED] with SMTP id d15cs48535vcn; Thu, 20 May 2010 23:34:04 -0700 (PDT)
	Received: by [REDACTED] with SMTP id f31mr975791waf.195.1274423644008; Thu, 20 May 2010 23:34:04 -0700 (PDT)
	Return-Path: (
	Received: from ( [])
	        by with ESMTP id k5si1702222waf.86.2010.;
	        Thu, 20 May 2010 23:34:02 -0700 (PDT)
	Received-SPF: neutral ( is neither permitted
	nor denied by best guess record for domain of client-ip=;
	Authentication-Results:; spf=neutral ( is neither permitted nor denied by best guess record for
	domain of
	Received: from ( by
	 ( with Microsoft SMTP Server (TLS) id 14.0.694.0; Fri, 21 May
	 2010 16:33:53 +1000
	Received: from ([fe80::755b:17ce:21aa:a1e7]) by ([fe80::755b:17ce:21aa:a1e7%14]) with mapi; Fri, 21 May
	 2010 16:34:45 +1000
	From: AusCERT (
	To: AusCERT (
	Subject: AusCERT Important Information - Malware on IBM USB
	Thread-Topic: AusCERT Important Information - Malware on IBM USB
	Thread-Index: Acr4r1gSGygbE89uSF+OWOvbW6WMcA==
	Importance: high
	X-Priority: 1
	Date: Fri, 21 May 2010 06:32:11 +0000
	Message-ID: (
	Accept-Language: en-AU, en-US
	Content-Language: en-US
	Content-Type: multipart/alternative; boundary="_000_DD6937D5F83D404E8B4851E00EEC6F8004A049CCexc04extremedns_"
	MIME-Version: 1.0
	Return-Path: --_000_DD6937D5F83D404E8B4851E00EEC6F8004A049CCexc04extremedns_
	Content-Type: text/plain; charset="us-ascii"
	Content-Transfer-Encoding: quoted-printable

	Dear AusCERT Delegate

	At the AusCERT conference this week, you may have collected a complimentary
	USB key from the IBM booth.   Unfortunately we have discovered that some of 
	these USB keys contained malware and we suspect that all USB keys may be

	The malware is detected by the majority of current Anti Virus products [as
	at 20/05/2010] and been known since 2008.

	The malware is known by a number of names and is contained in the setup.exe
	and autorun.ini files.  It is spread when the infected USB device is inserted 
	into a Microsoft Windows workstation or server whereby the setup.exe and 
	autorun.ini files run automatically.

	Please do not use the USB key, and we ask that you return it to IBM at Reply 
	Paid 120, PO Box 400, West Pennant Hills 2120.

	If you have inserted the USB device into your Microsoft Windows machine, we
	suggest that you contact your IT administrator for assessment, remediation
	and removal, or you may want to take the precaution of performing the steps 

	Steps to remove the malware:

	   1. Turn off System Restore

	      [StartProgramsAccessoriesSystem toolsSystem Restore]

	      Turning off System Restore will enable your anti virus software to clean 
	      the virus from both your current system and any restore points that may
	      have become infected.

	   2. Update your antivirus tool with the latest antivirus definitions

	      [available from your anti virus vendor of choice].

	   3. Perform a full system scan with your AV tool to confirm the existence
	      of the infection.  If malware is detected allow your AV to complete a clean.

	   4. On completion of this process, complete a second scan using a different 
	      anti virus product. Free anti virus products are available from known 
	      companies such as AVG, Avira, Panda Software, or Trend Micro.

	   5. Once a second scan has been performed and it is determined that your 
	      workstation is free of any known malware,  as a precautionary measure we 
	      recommended that you perform a back up of all vital files on your workstation
	      and perform a full re-installation of the operating system.  This process
	      will remove the risk of other unknown or undetected malware that may be
	      present on your machine.

	If you experience difficulties with the above steps, please contact the IBM
	Security Operations Team at

	An IBM technical support person will contact you by phone to assist you.

	We regret any inconvenience that may have been caused.

	Glenn Wightwick
	Chief Technologist
	IBM Australia

main page ATTRITION feedback