Found a Trojan horse on a new jumpdrive

Just a heads up, and if this is not posted in the correct area, please feel free to move it.

I recently purchased a jumpdrive at a good price. It was in new and unopened packaging and I still found it had a Trojan horse on it.

The product information:

Lexar Firefly Jumpdrive 2GB. Model JDFF2GB-431 Rev. H
UPC: 6-50590-14097-8
Other package labeling:
-- 2518676
-- 1824968
-- "China"

There was software (Dmailer_for_Lexar_V7_0_334.exe) on the drive and my security software detected and handled the Sheur2.blp Trojan horse within it. Now I freely admit that I do not know if this might be a benign program or not, but I did not want anything on the drive at all (I'm using this USB drive for storage only).

I run a few different anitvirus and spyware programs and constantly update them. I also have a USB specific antivirus program. All this helps, but the easiest thing to do is to always check any USB drive whenever you plug it in. I also always recommend holding down the shift key when installing a USB drive. This prevents any autorun programs that might be on the drive from starting. Just be aware that if you hold down the shift key for more than about 8 seconds it might put you into a different keyboard mode (weird characters may appear as you type and if you cannot get out of that, just reboot. Not that big a deal but it can look scary). You can right click and then select "explore" to see what is on the USB drive.

Also, if you have installed TweakUI on your system, bring it up, and in teh left column under "my computer" select "autoplay" and then "types." Select which types you want to disable autoplay on and you're good to go.

Good habits pay off I guess, and I just wanted to let folks be aware.

There were recently stories about usb picture frames containing various viruses, they traced it to workers in factories plugging mp3 players on the computers that formatted the drive.

false positive or a counterfiet drive.
not that a disgruntled employee couldnt have infected the file to cause trouble.it has happened before with software.

I googled the file name and there aren't any other reports, in fact the third result leads back to your thread on edcf.

I'd wager "Heur" is short for "heuristic", which means it's most likely a false positive. Use a big-gun scanner if you're still unsure: http://www.eset.com/products/nod32.php

I googled it too.... and here is two links
HERE
The "installed" files are in 2 folders:
1. dmailer - has 1 file: Dmailer_for_Lexar_v7_0_334.exe (from reading the website, this is for a 30-day trial and I don't need this)
2. Secure II - has both Mac & Windows subfolders

DMAILER

apparently there is a trial version of dmailer on that drive which is some sort of backup program

Very well could be a false positive. I sort of figured it might be. On the other hand since there was zero information on the packaging about any software whatsoever being loaded on the USB drive, and more importantly I wanted it for storage solely for storage, I wasn't about to chance it, especially since it tripped multiple warnings. I'm used to finding undocumented software on drives but I prefer to know about it in advance, not that it is a biggie, but getting flags from AV and malware protection always makes me err on the side of caution. It always will, too. Anything that rings security bells when you plug it in is going to get quarantined as far as I am concerned.

I e-mailed the company from which I purchased it and have yet to hear anything from them. Not a biggie either.

This all is "just in case" more than anything else. However, why risk a single thing especially for software you do not want in the first place even if it is benign?

I am guessing you can download the dmailer trial version from their site anyway if you wanted to try it later then deleting it is not a big deal.

StarHalo said:

I'd wager "Heur" is short for "heuristic", which means it's most likely a false positive. Use a big-gun scanner if you're still unsure: http://www.eset.com/products/nod32.php

Click to expand...

...or use 30+ scanners: http://www.virustotal.com


Touching on the main topic: infecting CDs, DVDs, thumb drives, flash memory cards, cameras, MP3 players and external hard drives is pretty common practice by today's malware. Here are three defensive techniques for Windows 2000/XP/Vista systems:

1) modify your AutoPlay settings so removable devices and discs don't get AutoPlayed. Easy to do, minimal side effects.

2) use a non-Admin user account for daily-driver stuff. This would not prevent an infected device's attack from running, but would severely limit its options when it did run. Malware is typically not designed to work within the constraints of a non-Admin user account. There can be side effects, such as stupidly-made software that doesn't work properly with a non-Admin account, but it's simple to undo if you find it doesn't work out for you.

3) for people running XP Pro, XP Media Center Edition, Vista Business, Vista Ultimate or Vista Enterprise, you can set up a Software Restriction Policy that arbitrarily prevents such attacks. This is somewhat of a "power user" technique. Use SRP in combination with tip #2 above for the intended type of protection.


I'd also suggest Windows users check their systems for vulnerabilities using Secunia's free online checkup, or their free installable checkup utility: http://secunia.com/vulnerability_scanning/ Secunia reports that 98% of their users have at least one unpatched program installed when they scan for the first time.

Users of other OSes should also check their software, add-ons and plug-ins for updates, particularly stuff like FireFox, Opera, Safari, Sun Java, VLC Player, QuickTime, iTunes, Adobe Flash Player, Adobe Reader, OpenOffice and whatever else you have, not to mention your OS itself.