Saturday, September 08, 2007

HITB Aftermath: Why you don't know you are having virus in your pocket?

This is something interesting happened during HITB Conference 2007, all of us brought our own USB thumb drive to ease the file transfer process. After the conference is over, Dhillon told us that his USB thumb drive contains virus and ask us to look into ours, interestingly here's what I have in my thumb drive -

shell>cat autorun.inf
[AutoRun]
open=.\MSOCache\90000804-6000-11D3-8CFE-0150048383C9\KB915865.exe
shellexecute=.\MSOCache\90000804-6000-11D3-8CFE-0150048383C9\KB915865.exe
shell\AutoOpen\command=.\MSOCache\90000804-6000-11D3-8CFE-0150048383C9\KB915865.exe
shell=AutoOpen

shell>file \ MSOCache/90000804-6000-11D3-8CFE-0150048383C9/kb915865.exe
MSOCache/90000804-6000-11D3-8CFE-0150048383C9/kb915865.exe: MS-DOS executable PE for MS Windows (GUI) Intel 80386 32-bit

Other crews may also have similar files in their USB thumb drive, therefore if any of you have borrowed USB thumb drive from us, good luck! As most of us are using either linux or osX, we don't even know the malicious files reside in our usb thumb drive.

Thanks to F-Secure sticker, I especially like the quote -

Real Men don't use antivirus.

Good luck to all Windows users in the conference.

Enjoy ;]

The root cause of this - thanks to the rented PC from whatever hardware provider ..... you should pay our monetary losssss

3 comments:

Anonymous said...

i still got a bunch of stickers if you want. hehe

--madjack

Anonymous said...

Gentoo rules!

Mario Zamora said...

The virus Autorun MSOCache, doWTP_restore, its deleted with Kaspersky 6.0, I done a patch to eliminate the worm. Simply execute it. I send to everyone who wants it

mandres71@hotmail.com