Day: February 18, 2013

Mary gave a gardening presentation at the local library, popping a 4 GB USB memory stick with the presentation into a library computer connected to the display projector. Back home, she deleted the presentations and was about to add more files, when she noticed something interesting:

drwx------  4 ed   ed    4096 Dec 31  1969 ./
drwxr-x---+ 3 root root  4096 Jan 31 19:21 ../
-r--r--r--  1 ed   ed   59288 Mar 21  2009 autorun.inf
drwx------  3 ed   ed    4096 Jan 30 19:31 RECYCLER/
drwx------  4 ed   ed    4096 Jan 31 19:10 .Trash-1001/

Ubuntu 12.10 automagically mounts FAT filesystems with the current user as owner and group. The .Trash-1001 directory is the Linux trash heap, but where did all that other stuff come from? The autorun.inf definitely looks Window-y, doesn’t it?

Perforce, the library runs Windows, but that shouldn’t add files to a USB memory stick that just was plugged in and used for a read-only presentation, should it?

Huh. You know where this is going…

Let’s hand autorun.inf to VirusTotal for a second opinion. The first three results from their long list confirm my suspicion:

The executable file containing the actual payload is, of course, buried in a subdirectory that might look more innocent on a Windows box:
/RECYCLER/S-5-3-42-2819952290-8240758988-879315005-3665/

It sports a randomized name to evade a really stupid malware detector:
jwgkvsq.vmx

Here’s what VirusTotal reports from some heavy hitters in the AV field:

The Wikipedia article gives the details. I suppose that PC got it from somebody else’s USB stick, but the library really should be running some defensive software; Conficker dates back to 2008, so it’s not new news these days.

That kind of Windows Genuine Advantage makes up for all the hassles of running Linux, right there. Mary reported the problem to the library; we’ll never know the rest of the story.

[Update: We got an update!]