Win32/Agent.ONB Trojan virus built into an mp3 player rom

[GJ]

My nephew was given a no-name mp3 player, which looks like a USB drive, for
Christmas.

When the MP3 Player is plugged into a USB port on our computer, it is
identified by Windows XP home as two devices :-



1) AMT_CDROM , a read only drive



2) MP3_PLAY, a drive which contains mp3 files to be played by the
player.





The AMT_CDROM drive contains some files which try to run as soon as the
player is plugged in using the Windows AUTORUN function. These files are in
a chip on the player and cannot be deleted.

These files are



autorun.inf

AMT.sn

start.exe



The result of this is that Windows tries to run the file "start.exe", and as
soon as this happens it is flagged by the anti-virus software (NODS32) as
containing the Win32/Agent.ONB Trojan virus



There are some references to this virus on the web, but nothing very useful
which I have found so far - the following has been translated from Italian
on a forum and relates a similar experience.



"Hello everyone I have a question to be asked: I bought an mp3 player
similar to your shuffle from china 2 gi
The problem is that if I connect off with usb cable to PC then turn fits ...
you see, it works and everything is ok ...
But if the spengo and then riaccendo tells me "device not recognized" and
then at the end asks me to reboot the PC.
But the main problem is that my view on the PC in addition to "removable
disk" also similar to a disc player that if I clicked on from the antivirus
(nod 32) recognize a file start.exe. "
"G: \ AMT.sn 'cabinet' BackupTool.exe - probably a variant of
Win32/PSW.Agent horse tr ** a"
the presence of a file infested by trojan.
The result is this: "G: \ start.exe - Win32/Agent.ONB horse tr ** a - error
while deleting - file is locked - error while deleting - file is locked -
error while deleting - file is blocked. "
of course I can not remove in any way .... this disc (AMT_CDROM) despite the
low level formatting does not delete them ... but still active ... I do is
safe to use? You can delete? "



I can't find any details on what the virus does, if it really exists, does.



Has anyone come across this before ? If there is a virus present, it seems
to be encoded into the rom chip on the mp3 player during it's manufacture.

I can't imagine the presence of the virus pattern is a coincidence because
the function of the start.exe must be fairly simple in this use .



Look forward to hearing of any similar incidents or anything else about this
one you can tell me.



Thanks,



GJ

 

[matjaz.vencelj]

Same here - just got three of them from an ebay seller. I managed to
repartition and reformat, but still opens a virtual cdrom with said
files... cheers M

 

[GJ]

From: "GJ" <[email protected]>

| My nephew was given a no-name mp3 player, which looks like a USB drive,
for
| Christmas.

| When the MP3 Player is plugged into a USB port on our computer, it is
| identified by Windows XP home as two devices :-

| 1) AMT_CDROM , a read only drive
| 2) MP3_PLAY, a drive which contains mp3 files to be played by
the
| player.

| The AMT_CDROM drive contains some files which try to run as soon as the
| player is plugged in using the Windows AUTORUN function. These files are
in
| a chip on the player and cannot be deleted.

| These files are

| autorun.inf
| AMT.sn
| start.exe

| The result of this is that Windows tries to run the file "start.exe",
and as
| soon as this happens it is flagged by the anti-virus software (NODS32)
as
| containing the Win32/Agent.ONB Trojan virus

| There are some references to this virus on the web, but nothing very
useful
| which I have found so far - the following has been translated from
Italian
| on a forum and relates a similar experience.

| "Hello everyone I have a question to be asked: I bought an mp3 player
| similar to your shuffle from china 2 gi
| The problem is that if I connect off with usb cable to PC then turn fits
...
| you see, it works and everything is ok ...
| But if the spengo and then riaccendo tells me "device not recognized"
and
| then at the end asks me to reboot the PC.
| But the main problem is that my view on the PC in addition to "removable
| disk" also similar to a disc player that if I clicked on from the
antivirus
| (nod 32) recognize a file start.exe. "
"G:: \ AMT.sn 'cabinet' BackupTool.exe - probably a variant of
| Win32/PSW.Agent horse tr ** a"
| the presence of a file infested by trojan.
| The result is this: "G: \ start.exe - Win32/Agent.ONB horse tr ** a -
error
| while deleting - file is locked - error while deleting - file is
locked -
| error while deleting - file is blocked. "
| of course I can not remove in any way .... this disc (AMT_CDROM) despite
the
| low level formatting does not delete them ... but still active ... I do
is
| safe to use? You can delete? "

| I can't find any details on what the virus does, if it really exists,
does.

| Has anyone come across this before ? If there is a virus present, it
seems
| to be encoded into the rom chip on the mp3 player during it's
manufacture.

| I can't imagine the presence of the virus pattern is a coincidence
because
| the function of the start.exe must be fairly simple in this use .

| Look forward to hearing of any similar incidents or anything else about
this
| one you can tell me.

| Thanks,

| GJ


It is an AutoRun worm. If Eset doesn't provide technical information on
what this AutoRun
worm does, you'll have to provide the EXE file to Virus Total to see who
else recognizes
this threat and see if they have technical information on what this
AutoRun does.


Please submit a sample to Virus Total --
http://www.virustotal.com/flash/index_en.html
The submission will then be tested against many different AV vendor's
scanners.
That will give you an idea what it is and who recognizes it. In addition
Virus
Total will provide the sample to all participating vendors.

You can also submit a suspect, one at a time, via the following email
URL...
mailto:[email protected]?subject=SCAN

When you get the report, please post back the exact results.

Will do, but the mp3 player is now in Ballarat - I'll have to wait until my
nephew comes back to Melbourne.

Thanks,

GJ

 

[kurt wismer]

My nephew was given a no-name mp3 player, which looks like a USB drive, for
Christmas.

When the MP3 Player is plugged into a USB port on our computer, it is
identified by Windows XP home as two devices :-



1) AMT_CDROM , a read only drive



2) MP3_PLAY, a drive which contains mp3 files to be played by the
player.

this sounds like a variation on the U3 technology that certain usb flash
drives (notably the sandisk cruzer) come with... the technology allows
certain usb devices to bypass normal windows limitations on usb flash
drives (ie. normally usb drives initiate autoplay instead of autorun) by
presenting windows with 2 devices - one of them a CD drive (which by
default initiates autorun rather than autoplay)...

The AMT_CDROM drive contains some files which try to run as soon as the
player is plugged in using the Windows AUTORUN function. These files are in
a chip on the player and cannot be deleted.

i think you may find that it is possible to delete these files, or more
accurately it should be possible to overwrite the partition on which
virtual cd drive exists with a new ISO file containing whatever you like...

it will almost certainly require special software specific to the
technology involved but i was able to 'neuter' the U3 installer on the
sandisk cruzer i bought earlier this year using just such a method...
unfortunately i don't know the name of the technology that would give
you the AMT_CDROM drive - a U3 disk would show U3 as the name of the cd
drive...

 

[Ernie B.]

i think you may find that it is possible to delete these files, or more
accurately it should be possible to overwrite the partition on which
virtual cd drive exists with a new ISO file containing whatever you like...

it will almost certainly require special software specific to the
technology involved but i was able to 'neuter' the U3 installer on the
sandisk cruzer i bought earlier this year using just such a method...
unfortunately i don't know the name of the technology that would give
you the AMT_CDROM drive - a U3 disk would show U3 as the name of the cd
drive...

You might consider a LiveCD of gparted,
<http://gparted.sourceforge.net/livecd.php>. It should be possible to delete
the partition in question and then expand the remaining partition to occupy
the entire drive.

 

[GJ]

You might consider a LiveCD of gparted,
<http://gparted.sourceforge.net/livecd.php>. It should be possible to
delete
the partition in question and then expand the remaining partition to
occupy
the entire drive.
--
Ernie B.

Communication: The art of moving an idea from one mind to another,
hopefully
without distortion.

I don't think this is the same as the U3 system, which is based on a
software start-up and it's easy to delete the U3 system software files(I've
done this on my 4Gb Sandisk Cruzer). The files involved here seem to be in
a rom in the device and they are ungettable at if you get my drift. The evil
partition seems to be set up by hardware and the files can't be deleted.
GJ

 

[kurt wismer]

GJ wrote:
[snip]

I don't think this is the same as the U3 system, which is based on a
software start-up and it's easy to delete the U3 system software files(I've
done this on my 4Gb Sandisk Cruzer). The files involved here seem to be in
a rom in the device and they are ungettable at if you get my drift. The evil
partition seems to be set up by hardware and the files can't be deleted.

well, i don't know about your cruzer, but mine had files on the 'cd
drive' as well as on the normal usb drive... the ones on the 'cd drive'
were not editable in the normal way either - they were as read-only as
the contents of any CD in fact... but i was able to find software to
write a new ISO to that drive...

oh, and U3 is not purely software-based, the hardware itself has to be
different from a standard usb flash drive in order to report multiple
devices to windows... basically the hardware has to lie to your
computer, which is not a standard practice...

 

[kurt wismer]

You might consider a LiveCD of gparted,
<http://gparted.sourceforge.net/livecd.php>. It should be possible to delete
the partition in question and then expand the remaining partition to occupy
the entire drive.

these aren't the same as logical partitions on a single physical
drive... the device reports 2 physical drives, one a removable drive and
one a cd drive...

 

[GJ]

these aren't the same as logical partitions on a single physical drive...
the device reports 2 physical drives, one a removable drive and one a cd
drive...

Yes, that's exactly what the mp3 player did.

Strangely I can't find this Win32/Agent.ONB virus listed anywhere in the
usual virus description libraries so I'm not sure how dangerous it is.

GJ

 

[kurt wismer]

Yes, that's exactly what the mp3 player did.

Strangely I can't find this Win32/Agent.ONB virus listed anywhere in the
usual virus description libraries so I'm not sure how dangerous it is.

i'm afraid there are far too many pieces of malware out there for them
to all have a description in an online database - and the family name
"agent" specifically is used for so many things that it is of little
help either... did you follow david's suggestion and submit it to
virustotal.com? i've tried running "agent.onb" through vgrep to find
what other scanners might call it but there were not results returned...

what david said is almost certainly true, it's an autorun worm, but any
additional capabilities it might have depends very much on getting a
description for that specific variant...

if the search for a description is fruitless you may have to assume the
worst (ie. stealth, password stealing, etc)...

another thing you *could* try, however, is to contact the company that
makes your scanner and ask if it's a false alarm or not (you'll probably
have to send them a copy of the file)... they should be able to clear up
some of your other questions too...

 

[Oco]

i'm afraid there are far too many pieces of malware out there for them
to all have a description in an online database - and the family name
"agent" specifically is used for so many things that it is of little
help either... did you follow david's suggestion and submit it to
virustotal.com? i've tried running "agent.onb" through vgrep to find
what other scanners might call it but there were not results returned...

what david said is almost certainly true, it's an autorun worm, but any
additional capabilities it might have depends very much on getting a
description for that specific variant...

if the search for a description is fruitless you may have to assume the
worst (ie. stealth, password stealing, etc)...

another thing you *could* try, however, is to contact the company that
makes your scanner and ask if it's a false alarm or not (you'll probably
have to send them a copy of the file)... they should be able to clear up
some of your other questions too...

--
"it's not the right time to be sober
now the idiots have taken over
spreading like a social cancer,
is there an answer?"

Your mp3 player looks like this? http://www.unibit.com.cn/English/products_show.asp?id=323
If so, try to update firmware/iso with the tool provided in download
section. There are several models in that page. Good luck

 

[1PW]

Hello!
I have the same problem, tried An USB vaccine and what you said, but i
simply don't have this 'configuration' on my mp3 here so i couldn't make
it through and the plus driver, with the Trojan does not let me open
files and send them to the mp3 player,
could you pls help me?

thanx in advance

Hello Aimie:

The problem with "stealing" the thread from GJ is that the focus can
change to you without a proper solution for GJ.

After reading this, please start a thread of your very own stating the
exact circumstances you believe you have this malware presently in your
system. Please include the exact details of your OS and antimalware
application that reported it and the full pathname to the infection.

Please don't leave out the "small" details

Pete