You might have seen a recent flurry of USB Worms in the news - well, one of our researchers found what appears to be a variant targeting (as you might have guessed from the title) Firefox, Orkut and YouTube.

How does this happen? For starters, if you have the infection file on your computer (before activation) it'll probably look something like this:

Not too bad yet, right? Well, if you're unfortunate to double click the thing and run it (of course, in a non-testing environment this would spread automatically via USB shares) your day will take a turn for the worse. Attempt to use Firefox, and you'll see this (along with an MP3 of someone laughing at you playing in the background):

"Use Internet Explorer you dope - I don't hate Mozilla but use IE or else"

At this point, you can't use the browser and it closes automatically on you.

Jumping over to IE, if you attempt to get to the Orkut website....

...whoops!

The "fun" doesn't end here, however - because whoever made this apparently isn't too keen on you visiting the YouTube website either:

Of course, the people behind the infection files can deny an infected user access to whatever sites they feel like - in that sense, it's not that different from putting a website into your HOSTS file. For whatever reason, this individual felt the need to vent their spleen at YouTube and Orkut and blocked them via the infection file. Needless to say, this spreads the same way the first wave of USB infections did (an Autorun.inf file):

Finally, it's worth noting that some of these files are designed so that the .EXE looks like a folder on your desktop:

You'd be surprised how many people fall for that. I've also written about this elsewhere, and if you'd like to see the hijack in action (and hear the wonderful laughter that plays when you try to use Firefox, Orkut or YouTube) then click here.

Write up: Christopher Boyd, Director of Malware Research
Research and Discovery: Manoj V, Malware Threat Researcher