Infected Drivers CD?

Here's some news from the ESET Virus Lab in Slovakia. One of our clients encountered an interesting infection within his network.

The problem seemed to originate from the drivers CD that comes with the device he bought, the Habey BIS-6550HD, a fanless Atom-powered system, though we haven't seen the CD itself. Our analysis of the CD image supplied by the customer, which seems to date from July 2009, confirmed that it contains a set of files infected by 2 different viruses:

• Win32/Viking.CH
• Win32/Xorer.NAJ

Altogether, 25 executables were infected. Furthermore, 15 HTM files were infected (detected by us Win32/Xorer.AW) by the insertion of an IFRAME redirect, originating with infection by the Xorer virus. .

Both of these infiltrations are prepending viruses. Win32/Xorer is also classified as an Autorun worm. Both are described in our virus encyclopaedia, though the descriptions don't refer to the exact same variants: one describes Win32/Viking.AU and the other describes Win32/Xorer.BU.

ESET has had proactive protection (generic signatures) for these threats since 18.5.2006 (Win32/Viking) and 6.5.2008 (Win32/Xorer). These families are, of course, well-known to other vendors too.

The customer tells us that the hardware manufacturer was notified about the problem, and he was advised to download the drivers from their web site. While the site is up, we've been unable to download the drivers ourselves: perhaps this means the company is currently checking their download site. If you have any concerns about hardware or software from Norco/Habey, we'd advise you to contact them directly as soon as possible, to check that any problems with their quality control have been corrected. According to the CD image analysed by the lab in Bratislava, these are the infected files.

Infected EXEs:
915_945_965inf\Setup.exe
ALC888\2k_xp\Setup.exe
ALC888\2k_xp\WDM\Alcmtr.exe
ALC888\2k_xp\WDM\SoundMan.exe
Atom\inf_setup.exe
Atom\HDMI_VGA\Utilities\IEGDGUI.exe
Atom\HDMI_VGA\Utilities\Setup.exe
Atom\winvista\Setup.exe
Atom\winxp\Setup.exe
Decoder card dirvers\windows\basic\32-bit\DPinst.exe
Decoder card dirvers\windows\basic\64-bit\DPinst.exe
Decoder card dirvers\windows\evaluation\BRCM_UI_Player.exe
Decoder card dirvers\windows\evaluation\32-bit\DPinst.exe
Decoder card dirvers\windows\evaluation\64-bit\DPinst.exe
Decoder card dirvers\windows\file\32-bit\DPinst.exe
Decoder card dirvers\windows\file\64-bit\DPinst.exe
DirectX9\DXSETUP.exe
HDD-patch\48-bit LBA.exe
LAN\vista\setup.exe
LAN\win2k_xp\setup.exe
TV tuner\Driver\Windows XP&Vista32bit\setup.exe
TV tuner\Driver\Windows XP&Vista64bit\setup.exe
TV-OUT\testAPP.EXE
USB2.0\Intel9x\setup.exe
VGA\win2k_xpVGA\setup.exe

Infected HTMs:
LAN\vista\README\Arabic\setup.html
LAN\vista\README\English\setup.html
LAN\vista\README\French\setup.html
LAN\vista\README\German\setup.html
LAN\vista\README\Hebrew\setup.html
LAN\vista\README\Hungarian\setup.html
LAN\vista\README\Italian\setup.html
LAN\vista\README\Japanese\setup.html
LAN\vista\README\Korean\setup.html
LAN\vista\README\Portuguese\setup.html
LAN\vista\README\Simplified_Chinese\setup.html
LAN\vista\README\Spanish\setup.html
LAN\vista\README\Traditional_Chinese\setup.html
LAN\vista\README\Turkish\setup.html
s3132\BASE\readme.htm

David Harley CISSP FBCS CITP
Director of Malware Intelligence

ESET Threatblog (TinyURL with preview enabled): http://preview.tinyurl.com/esetblog
ESET Threatblog notifications on Twitter:
http://twitter.com/esetresearch 
http://twitter.com/ESETblog)
ESET White Papers Page: http://www.eset.com/download/whitepapers.php

Securing Our eCity community initiative: http://www.securingourecity.org/

Also blogging at:
http://smallbluegreenblog.wordpress.com/
http://avien.net/blog
http://blogs.securiteam.com
http://blog.isc2.org/
http://macvirus.com/