Win32/Agent.ONB Trojan virus built into an mp3 player rom
GJ
Christmas.
When the MP3 Player is plugged into a USB port on our computer, it is
identified by Windows XP home as two devices :-
1) AMT_CDROM , a read only drive
2) MP3_PLAY, a drive which contains mp3 files to be played by the
player.
The AMT_CDROM drive contains some files which try to run as soon as the
player is plugged in using the Windows AUTORUN function. These files are in
a chip on the player and cannot be deleted.
These files are
autorun.inf
AMT.sn
start.exe
The result of this is that Windows tries to run the file "start.exe", and as
soon as this happens it is flagged by the anti-virus software (NODS32) as
containing the Win32/Agent.ONB Trojan virus
There are some references to this virus on the web, but nothing very useful
which I have found so far - the following has been translated from Italian
on a forum and relates a similar experience.
"Hello everyone I have a question to be asked: I bought an mp3 player
similar to your shuffle from china 2 gi
The problem is that if I connect off with usb cable to PC then turn fits ...
you see, it works and everything is ok ...
But if the spengo and then riaccendo tells me "device not recognized" and
then at the end asks me to reboot the PC.
But the main problem is that my view on the PC in addition to "removable
disk" also similar to a disc player that if I clicked on from the antivirus
(nod 32) recognize a file start.exe. "
"G: \ AMT.sn 'cabinet' BackupTool.exe - probably a variant of
Win32/PSW.Agent horse tr ** a"
the presence of a file infested by trojan.
The result is this: "G: \ start.exe - Win32/Agent.ONB horse tr ** a - error
while deleting - file is locked - error while deleting - file is locked -
error while deleting - file is blocked. "
of course I can not remove in any way .... this disc (AMT_CDROM) despite the
low level formatting does not delete them ... but still active ... I do is
safe to use? You can delete? "
I can't find any details on what the virus does, if it really exists, does.
Has anyone come across this before ? If there is a virus present, it seems
to be encoded into the rom chip on the mp3 player during it's manufacture.
I can't imagine the presence of the virus pattern is a coincidence because
the function of the start.exe must be fairly simple in this use .
Look forward to hearing of any similar incidents or anything else about this
one you can tell me.
Thanks,
GJ
David H. Lipman
| These files are
| autorun.inf
| AMT.sn
| start.exe
| Thanks,
| GJ
It is an AutoRun worm. If Eset doesn't provide technical information on what this AutoRun
worm does, you'll have to provide the EXE file to Virus Total to see who else recognizes
this threat and see if they have technical information on what this AutoRun does.
Please submit a sample to Virus Total --
http://www.virustotal.com/flash/index_en.html
The submission will then be tested against many different AV vendor's scanners.
That will give you an idea what it is and who recognizes it. In addition Virus
Total will provide the sample to all participating vendors.
You can also submit a suspect, one at a time, via the following email URL...
mailto:sc...@virustotal.com?subject=SCAN
When you get the report, please post back the exact results.
--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
matjaz....@gmail.com
repartition and reformat, but still opens a virtual cdrom with said
files... cheers M
GJ
"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
news:l6KdnYY7Q6dHyMbU...@giganews.com...
nephew comes back to Melbourne.
Thanks,
GJ
kurt wismer
> My nephew was given a no-name mp3 player, which looks like a USB drive, for
> Christmas.
>
> When the MP3 Player is plugged into a USB port on our computer, it is
> identified by Windows XP home as two devices :-
>
>
>
> 1) AMT_CDROM , a read only drive
>
>
>
> 2) MP3_PLAY, a drive which contains mp3 files to be played by the
> player.
this sounds like a variation on the U3 technology that certain usb flash
drives (notably the sandisk cruzer) come with... the technology allows
certain usb devices to bypass normal windows limitations on usb flash
drives (ie. normally usb drives initiate autoplay instead of autorun) by
presenting windows with 2 devices - one of them a CD drive (which by
default initiates autorun rather than autoplay)...
> The AMT_CDROM drive contains some files which try to run as soon as the
> player is plugged in using the Windows AUTORUN function. These files are in
> a chip on the player and cannot be deleted.
i think you may find that it is possible to delete these files, or more
accurately it should be possible to overwrite the partition on which
virtual cd drive exists with a new ISO file containing whatever you like...
it will almost certainly require special software specific to the
technology involved but i was able to 'neuter' the U3 installer on the
sandisk cruzer i bought earlier this year using just such a method...
unfortunately i don't know the name of the technology that would give
you the AMT_CDROM drive - a U3 disk would show U3 as the name of the cd
drive...
--
"it's not the right time to be sober
now the idiots have taken over
spreading like a social cancer,
is there an answer?"
GJ
"Ernie B." <ebaresch_REMOVE_@_THIS_cox.net> wrote in message
news:MPG.23c5b564b...@news.cox.net...
> On Wed, 31 Dec 2008 16:36:17 -0500 kurt wismer wrote:
>
>> GJ wrote:
>> > My nephew was given a no-name mp3 player, which looks like a USB drive,
>> > for
>> > Christmas.
>> > 1) AMT_CDROM , a read only drive
>> >
>> >
>> >
>> > 2) MP3_PLAY, a drive which contains mp3 files to be played by
>> > the
>> > player.
>>
>> i think you may find that it is possible to delete these files, or more
>> accurately it should be possible to overwrite the partition on which
>> virtual cd drive exists with a new ISO file containing whatever you
>> like...
>>
>> it will almost certainly require special software specific to the
>> technology involved but i was able to 'neuter' the U3 installer on the
>> sandisk cruzer i bought earlier this year using just such a method...
>> unfortunately i don't know the name of the technology that would give
>> you the AMT_CDROM drive - a U3 disk would show U3 as the name of the cd
>> drive...
>>
> <http://gparted.sourceforge.net/livecd.php>. It should be possible to
> delete
> the partition in question and then expand the remaining partition to
> occupy
> the entire drive.
> --
> Ernie B.
>
> Communication: The art of moving an idea from one mind to another,
> hopefully
> without distortion.
I don't think this is the same as the U3 system, which is based on a
software start-up and it's easy to delete the U3 system software files(I've
done this on my 4Gb Sandisk Cruzer). The files involved here seem to be in
a rom in the device and they are ungettable at if you get my drift. The evil
partition seems to be set up by hardware and the files can't be deleted.
GJ
kurt wismer
> On Wed, 31 Dec 2008 16:36:17 -0500 kurt wismer wrote:
>> i think you may find that it is possible to delete these files, or more
>> accurately it should be possible to overwrite the partition on which
>> virtual cd drive exists with a new ISO file containing whatever you like...
>>
>> it will almost certainly require special software specific to the
>> technology involved but i was able to 'neuter' the U3 installer on the
>> sandisk cruzer i bought earlier this year using just such a method...
>> unfortunately i don't know the name of the technology that would give
>> you the AMT_CDROM drive - a U3 disk would show U3 as the name of the cd
>> drive...
>>
> <http://gparted.sourceforge.net/livecd.php>. It should be possible to delete
> the partition in question and then expand the remaining partition to occupy
> the entire drive.
these aren't the same as logical partitions on a single physical
drive... the device reports 2 physical drives, one a removable drive and
one a cd drive...
kurt wismer
[snip]
> I don't think this is the same as the U3 system, which is based on a
> software start-up and it's easy to delete the U3 system software files(I've
> done this on my 4Gb Sandisk Cruzer). The files involved here seem to be in
> a rom in the device and they are ungettable at if you get my drift. The evil
> partition seems to be set up by hardware and the files can't be deleted.
well, i don't know about your cruzer, but mine had files on the 'cd
drive' as well as on the normal usb drive... the ones on the 'cd drive'
were not editable in the normal way either - they were as read-only as
the contents of any CD in fact... but i was able to find software to
write a new ISO to that drive...
oh, and U3 is not purely software-based, the hardware itself has to be
different from a standard usb flash drive in order to report multiple
devices to windows... basically the hardware has to lie to your
computer, which is not a standard practice...
GJ
> these aren't the same as logical partitions on a single physical drive...
> the device reports 2 physical drives, one a removable drive and one a cd
> drive...
Yes, that's exactly what the mp3 player did.
Strangely I can't find this Win32/Agent.ONB virus listed anywhere in the
usual virus description libraries so I'm not sure how dangerous it is.
GJ
kurt wismer
i'm afraid there are far too many pieces of malware out there for them
to all have a description in an online database - and the family name
"agent" specifically is used for so many things that it is of little
help either... did you follow david's suggestion and submit it to
virustotal.com? i've tried running "agent.onb" through vgrep to find
what other scanners might call it but there were not results returned...
what david said is almost certainly true, it's an autorun worm, but any
additional capabilities it might have depends very much on getting a
description for that specific variant...
if the search for a description is fruitless you may have to assume the
worst (ie. stealth, password stealing, etc)...
another thing you *could* try, however, is to contact the company that
makes your scanner and ask if it's a false alarm or not (you'll probably
have to send them a copy of the file)... they should be able to clear up
some of your other questions too...
Oco
Your mp3 player looks like this? http://www.unibit.com.cn/English/products_show.asp?id=323
If so, try to update firmware/iso with the tool provided in download
section. There are several models in that page. Good luck
pjdura
I had the same problem, but with the Trojan.Horse.PSW.Agent.YOM using
AVG 8.
And I SOLVED that, configuring my mp3 player to not auto music
transfer:
1) Press the Mp3 player configuration button to enter the configuration
Menu,
2) then choose the option: Sys
( It is the 5th option to the right: Msc, Rec, Voi, Fm, SYS, txt, tel )
3) Inside Sys configuration menu:, choose: Auto Music Transfer
( it is the 8th option to the righ: Record quality, Backlight time,
Color, Power Off, Replay set, Contrast, Languaje, AUTO MUSIC TRANSFER,
Memory info, Edition, Default, Exit )
4) Inside Auto Music Transfer: choose No ( close or disabled )
And after that, the next time you plug your mp3 player, you will not
see the AMT_CDROM again.
Hope that this would be usefull.
--
pjdura
------------------------------------------------------------------------
pjdura's Profile: http://forums.techarena.in/members/pjdura.htm
View this thread: http://forums.techarena.in/antivirus-software/1095733.htm
aimie077
Hello!
I have the same problem, tried An USB vaccine and what you said, but i
simply don't have this 'configuration' on my mp3 here so i couldnt make
it through and the plus driver, with the Trojan does not let me open
files and send them to the mp3 player,
could you pls help me?
thanx in advance
--
aimie077
------------------------------------------------------------------------
aimie077's Profile: http://forums.techarena.in/members/96530.htm
1PW
> Hello!
> I have the same problem, tried An USB vaccine and what you said, but i
> it through and the plus driver, with the Trojan does not let me open
> files and send them to the mp3 player,
> could you pls help me?
>
> thanx in advance
Hello Aimie:
The problem with "stealing" the thread from GJ is that the focus can
change to you without a proper solution for GJ.
After reading this, please start a thread of your very own stating the
exact circumstances you believe you have this malware presently in your
system. Please include the exact details of your OS and antimalware
application that reported it and the full pathname to the infection.
Please don't leave out the "small" details
Pete
--
1PW @?6A62?FEH9:DE=6o2@=]4@> [r4o7t]
cgosh
Pjdura's fix worked for me.
It's not a virus, it's a feature that behaves like a virus might (tries
to make things happen in your PC). I flipped the switch shown in the 3rd
box above this one -- thanks, much pjdura.
Before, I got 2 new drive letters when I connected up. F: had the same
3 files GJ listed, and G: was my music, voice recordings, etc. (and the
PDF user manual - pretty slick). Now I only get a G: drive. Disabling
the 'system' feature makes my oversize postage-stamp-looking iVO-Sound
m220 4G MP3 player ($20 at Micro Center) a simple USB device, not a
complicated one.
Before making the switch, I got a popup asking if I wanted WinAmp to
control the music on my 'new' CD-ROM drive (Auto M*u*s*i*c Transfer
never seemed to work, but it did spawn a nasty trojan message) and then
a second popup with a Windows Explorer option (and a variety of other
choices). Now I just get the second popup. The faux CD is gone, and I
only see the jumpdrive partition. I don't care. I don't get any more
trojan virus scary popups, either. (FWIW, trojans are a completely
different breed of pest, and no product finds even most of them. Nearly
all antivirus products catch and try to kill essentially every virus, as
long as you let them update every day. Windows Update should be on auto
or handled properly.)
The reason I can't find any more info on psw.Agent.YOM is because it's
not harmful, it's not really a trojan; it's just an action that's
recognized by Avast! antivirus (free version) as hooking into my PC. I'm
being alerted to potentially dangerous activity, but I understand that
it's harmless. Now it's "gone."
And, frankly, I don't think I follow aimie077's issue at all. I don't
understand how this feature could cause a file write failure to the
drive.
Unless that issue is different from mine, I'm going with 'reboot' on
this one . . .
--
cgosh
------------------------------------------------------------------------
cgosh's Profile: http://forums.techarena.in/members/97639.htm
aloysiao...@yahoo.com
David H. Lipman
Either the infector is a virus or a trojan but there is no such thing as a
"trojan horse virus" albeit a trojan can be infected by a virus such as a
CyberGate RAT being infected with Parite or Sality.
--
Dave
Multi-AV Scanning Tool - http://multi-av.thespykiller.co.uk
http://www.pctipp.ch/downloads/dl/35905.asp
Hot-Text
and The World Is Flat Too........
David H. Lipman
> There is no such thing as a Computer,
> and The World Is Flat Too........
Hot-Text
> From: "Hot-Text" <hot-...@news.mixmin.net>
>>> From: <aloysiao...@yahoo.com>
>>>
>>>> On Tuesday, December 30, 2008 10:25:02 PM UTC-5, GJ wrote:
>>>>
>>>> I have a RCA Mp3, and a Craig Mp3 and they both do the same thing. I hook
>>>> it up, and then
>>>> it tells me that a threat has been detected, and it tells me it's the
>>>> trojan horse virus.
>>>> I have done a little bit of research on this, and it tells me that a
>>>> trojan horse virus,
>>>> can be put on your computer by online games and other online things. It
>>>> says that the
>>>> trojan horse virus allows hackers into your computer, and they can hack
>>>> your
>>>> system...that's all I know.
>>>
>>> You are answering a 4 year old post.
>>>
>>> Either the infector is a virus or a trojan but there is no such thing as a
>>> "trojan horse virus" albeit a trojan can be infected by a virus such as a
>>> CyberGate RAT being infected with Parite or Sality.
>>>
>> and The World Is Flat Too........
>
> In your mind I presume you to believe both are true.
>
and get a Virus for your Computer,
This is both and truly a Trojan Virus..
A Trojan is a Trojan,
A Virus is a Virus,
But a Trojan Virus start,
With a Trojan and End With a Virus..
If you stop the Trojan of the Trojan Virus,
it will not get a Virus for your Computer,
But if the Trojan go uncheck,
it will put a Virus on your Computer
So open your eye's,
and see the two parks of the Package,
A Trojan Virus is,
Park One A Computer Trojan..
Pack Two Online Virus...
But hackers are here at alt.comp.anti-virus,
who will say a Trojan Virus is not a Virus,
For hackers will lie, and will Not Tell The True.....
David H. Lipman
> As to Trojan who able to go online, and get a Virus for your Computer,
> This is both and truly a Trojan Virus..
trojan downloader and does not make that downloader virus.
>
> A Trojan is a Trojan,
> A Virus is a Virus,
> But a Trojan Virus start, With a Trojan and End With a Virus..
part of the definition which separates the subclass of malware called
trojans and the subclass of malware called viruses.
>
> If you stop the Trojan of the Trojan Virus,
> it will not get a Virus for your Computer,
> But if the Trojan go uncheck, it will put a Virus on
> your Computer
>
> So open your eye's, and see the two parks of the Package,
> A Trojan Virus is,
> Park One A Computer Trojan..
> Pack Two Online Virus...
> But hackers are here at alt.comp.anti-virus,
> who will
> say a Trojan Virus is not a Virus,
> For hackers will lie, and will Not Tell The True.....
to educate yourself!
Hot-Text
>
>> As to Trojan who able to go online, and get a Virus for your Computer,
>> This is both and truly a Trojan Virus..
>
> A trojan that that downloads other files, virus or otherwise, remains a
> trojan downloader and does not make that downloader virus.
>
Yes it will remains a Trojan and the Game will remains Game..
Removing the Trojan will not remove the Game,
nor Removing The Game will remove the Trojan,
For they became independent from or independent of oneself..
Same with a Trojan-Virus..
>>
>> A Trojan is a Trojan,
>> A Virus is a Virus,
>> But a Trojan Virus start, With a Trojan and End With a Virus..
>
> That is NOT a foregone conclusion and is not a defacto condition nor any
> part of the definition which separates the subclass of malware called
> trojans and the subclass of malware called viruses.
>
1+2=3
is not the two definition = a new definition
The same as for Trojan + Virus = Trojan Virus..
>>
>> If you stop the Trojan of the Trojan Virus,
>> it will not get a Virus for your Computer,
>> But if the Trojan go uncheck, it will put a Virus on
>> your Computer
>
> That makes no sense and are writing riddles.
>
>>
>> So open your eye's, and see the two parks of the Package,
>> A Trojan Virus is,
>> Park One A Computer Trojan..
>> Pack Two Online Virus...
>> But hackers are here at alt.comp.anti-virus,
>> who will
>> say a Trojan Virus is not a Virus,
>> For hackers will lie, and will Not Tell The True.....
>
> You are misguided and misunderstand the subject matter. I strongly urge you
> to educate yourself!
>
>
Re: Win32/Agent.ONB Trojan virus built into an mp3 player rom
Norton Support
Think you have a virus?
You're in the right place.
Norton Power Eraser
Free Download
Eliminates deeply embedded
and difficult to remove crime-ware
that traditional virus scanning doesn't always detect.
If you have become the victim of crime-ware that
regular virus scans can't detect,
use the Norton Power Eraser to target and eliminate them.
< http://us.norton.com/support/DIY/?virusremoval >
David H. Lipman
> "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
> news:vbednTFAH_tjrbjN...@giganews.com...
>> From: "Hot-Text" <hot-...@news.mixmin.net>
>>
>>> As to Trojan who able to go online, and get a Virus for your Computer,
>>> This is both and truly a Trojan Virus..
>>
>> A trojan that that downloads other files, virus or otherwise, remains a
>> trojan downloader and does not make that downloader virus.
>>
> For the Trojan download a Game it is a Trojan-Game,
> Yes it will remains a Trojan and the Game will remains Game..
> Removing the Trojan will not remove the Game, nor Removing The Game will
> remove the Trojan,
> For they became independent from or independent of oneself..
> Same with a Trojan-Virus..
>>> A Trojan is a Trojan,
>>> A Virus is a Virus,
>>> But a Trojan Virus start, With a Trojan and End With a Virus..
>>
>> That is NOT a foregone conclusion and is not a defacto condition nor any
>> part of the definition which separates the subclass of malware called
>> trojans and the subclass of malware called viruses.
>>
> Why do you separates the to two definition,
> 1+2=3
> is not the two definition = a new definition
> The same as for Trojan + Virus = Trojan Virus..
automobiles but are calssed differently based upon their manuafacturer.
There is no Ford Chrysler like there is no trojan virus.
The taxonomy of malware can be made into further subclasses like an
automobile; Wagon, Coupe, Truck, Sedan, etc.
There are subclasses of trojans anbd there are subclasses of viruses.
>
>>> If you stop the Trojan of the Trojan Virus,
>>> it will not get a
> Virus for your Computer,
>>> But if the Trojan go uncheck, it will put a
> Virus on
>>> your Computer
>>
>> That makes no sense and are writing
> riddles.
>>
> No riddles but the true....
>
educate you in an area you having trouble grasping like a grade schooler has
trouble grasping trigonmentry or algebra.
More utter nonesense and shows a lack of understanding the subject matter!
Hot-Text
classed differently based upon their manufacturer thereof..
Like that of a The Ford Explorer Sport Trac,
also known just as the Ford Sport Trac,
is a mid-size sport utility vehicle,
is not a Ford Explorer that is a sport-utility vehicle,
Ford Sport Trac and Ford Explorer are sport-utility vehicle but not the same as..
So is it with a Trojan and a Trojan-Virus..
> The taxonomy of malware can be made into further subclasses like an
> automobile; Wagon, Coupe, Truck, Sedan, etc.
>
> There are subclasses of trojans anbd there are subclasses of viruses.
>
>>
>>>> If you stop the Trojan of the Trojan Virus,
>>>> it will not get a
>> Virus for your Computer,
>>>> But if the Trojan go uncheck, it will put a
>> Virus on
>>>> your Computer
>>>
>>> That makes no sense and are writing
>> riddles.
>>>
>> No riddles but the true....
>>
>
> Still not making any sense and I am not going to waste my time trying to
> educate you in an area you having trouble grasping like a grade schooler has
> trouble grasping trigonmentry or algebra.
>
and the time you wasted was the time you have been out of school..
Win32/Agent.ONB
is a Trojan that get a virus,
from online to built file into an mp3 player Rom..
FromTheRafters
his other chores.
BTW, "trojan horse virus" is a misnomer. Sure, even the so-called
industry experts use the term, but they're wrong to do so.
Hot-Text
Hackers call this Man in Trojan Horse,
and Industry only see one side.... No Trojan-Virus
It allows hack into a computer,
and get a virus to hide the hacks to a computer..
If you remove the Trojan first,
the virus rewrites Trojan in the computer system,
and if you remove the virus first,
the Trojan get a virus number 2,
remove virus number 2,
the Trojan get a virus number 3.
It will keep opening Gateways [PORT] and like port:80
until it get the right virus by numbers,
that your anti-virus know not and unable to remove,
for the Trojan job is to keep the virus working,
not Hacks..
For the Trojan have a list of IP to number's of viruses,
Like(viruse1.sys, viruses2.sys, viruse3.sys, exc,exc,exc...)
FromTheRafters
a very important distinction to make. Sure, to the average Joe hacker
it might not be important and in casual dinner conversation nobody
really gives a shit.
> It allows hack into a computer,
> and get a virus to hide the hacks to a computer..
it only matters what *it* itself does. Classifying the other things it
brings later is a matter for when those programs are classified
(keylogger, virus, worm, backdoor, rootkit, appkiller etc...).
Initially, a trojan is just a program that does something (usually
undesired) other than or in addition to some thought to be desireable
function - and yes, viruses can be included generally under this
definition.
Generalities aren't helpful, so it becomes more important that you
separate self-replicators from non self-replicators since they present
such different obstacles to removal. Also it matters whether or not
'infection' is part of the self-replication process - this is why worms
are a different class from viruses.
One way to look at it is:
It's a trojan ... unless it self-replicates in which case it is a worm
or virus and no longer just a trojan. Follow this idea backward and you
get "trojans don't replicate". This is not the only taxonomy out there
as I suggested already in another post.
> If you remove the Trojan first, the virus rewrites Trojan in the computer
> system,
> and if you remove the virus first, the Trojan get a virus number 2,
> remove virus number 2,
> the Trojan get a virus number 3.
to be talking about a guardian program that re-writes a trojan if it
finds it missing - this is *not* self-replication - and it is ancillary
to the trojan being discussed - possibly associated malware.
[...]
Hot-Text
you right you know
FromTheRafters
http://www.swansontec.com/sregisters.html
James E. Morrow
and viruses. Sadly we are defenseless against trolls.
--
James E. Morrow
Email to: jamese...@email.com
Hot-Text
you do know that why you see;;
; for 16-bit app support
in Win.ini and system.ini
As the another subject move to a newer format,
You may find this interesting
< https://dev.windowsphone.com//en-us >
< http://msdn.microsoft.com/en-us/library/ff431744.aspx >