USB Worm Targets Firefox, Orkut and YouTube

| | Comments (2)

You might have seen a recent flurry of USB Worms in the news - well, one of our researchers found what appears to be a variant targeting (as you might have guessed from the title) Firefox, Orkut and YouTube.

How does this happen? For starters, if you have the infection file on your computer (before activation) it'll probably look something like this:

moz1.jpg

Not too bad yet, right? Well, if you're unfortunate to double click the thing and run it (of course, in a non-testing environment this would spread automatically via USB shares) your day will take a turn for the worse. Attempt to use Firefox, and you'll see this (along with an MP3 of someone laughing at you playing in the background):

http://blog.spywareguide.com/upload/2007/05/moz2-thumb.jpg
Click to Enlarge

"Use Internet Explorer you dope - I don't hate Mozilla but use IE or else"

At this point, you can't use the browser and it closes automatically on you.

Jumping over to IE, if you attempt to get to the Orkut website....

http://blog.spywareguide.com/upload/2007/05/moz3-thumb.jpg
Click to Enlarge

...whoops!

The "fun" doesn't end here, however - because whoever made this apparently isn't too keen on you visiting the YouTube website either:

http://blog.spywareguide.com/upload/2007/05/moz4-thumb.jpg
Click to Enlarge

Of course, the people behind the infection files can deny an infected user access to whatever sites they feel like - in that sense, it's not that different from putting a website into your HOSTS file. For whatever reason, this individual felt the need to vent their spleen at YouTube and Orkut and blocked them via the infection file. Needless to say, this spreads the same way the first wave of USB infections did (an Autorun.inf file):

http://blog.spywareguide.com/upload/2007/05/Autoplay-thumb.JPG
Click to Enlarge

Finally, it's worth noting that some of these files are designed so that the .EXE looks like a folder on your desktop:

moz10.jpg

You'd be surprised how many people fall for that. I've also written about this elsewhere, and if you'd like to see the hijack in action (and hear the wonderful laughter that plays when you try to use Firefox, Orkut or YouTube) then click here.

Write up: Christopher Boyd, Director of Malware Research
Research and Discovery: Manoj V, Malware Threat Researcher

2 Comments

My laptop is effected.pls help me to solve this problem

even I got infected.. with this worm.. here I have completely blogged on how to remove this worm from your system manually
http://www.jeba.in/posts/w32usbworm-lets-remove-this-worm-manually/#more-120

Leave a comment

About this Entry

This page contains a single entry by Christopher Boyd published on May 11, 2007 5:55 AM.

TV Hacking... was the previous entry in this blog.

Ben Edelman On InfoWorld is the next entry in this blog.

Find recent content on the main index or look in the archives to find all content.