Important Reading

I don't know if I'm posting this in the right place so if not I'm sure the mods will correct it. I think Chinese manufacturers are embedding trojans or other malware in their electronics. Not the major brands, I believe it is just the off and knock-off brands. I purchased a 4GB Pen style spycam from ebay a few days ago. When I attached the pencam to my usb port, I browsed the contents of the flash drive and noticed something peculiar. There were 2 normal folders named movie & image. However there were 2 hidden folders with the same name. The normal folders were 1.33MB in size each. The hidden folders were empty. When I looked inside the folders there was "nothing" in them. Strange. Not long afterward my firewall told me that 6DFF3B.EXE was trying to access the trusted zone. The destination IP address was my router. As I'm quite sure you know, the next question would have most likely been could 6DFF3B access the internet but since I didn't let it access the trusted zone, it stopped there. So I used "process explorer" by Sysinternals to trace the exe file to its location. Of course its in my system32 folder in a folder named D89211. The folder is 1.33MB in size and when I open the folder...wait for it...nothing is there!! Coincidence, I think not. Now I'm quite sure ,given these filenames, that the manufacturers change the names of the files and folders with pretty much every device they build (if they don't then they're dumber than I thought).

This paragraph is written a few hours later: I discovered that by un-hiding the OS files, I can see the 6DFF3B exe file in the D89211 folder. It has a "folder icon" embedded into it so it just looks like a benign folder. However it is a exe file. It's also a hidden file. Now hidden files & hidden OS files are 2 somewhat diferent things. By clicking "show hidden files and folders" in folder options, you don't actually make ALL files and folders visible. You just make it POSSIBLE to view all files and folders. The other setting is "hide protected OS files". That must be unchecked to view ALL files and folders. This mystery exe file was protected as an OS file. Now why would a file from a PenCam need to be so sneaky and install itself in my system32 folder? Did I mention everytime I delete it, it pops back up when I reboot? Did I also mention that I didn't install drivers as it uses generic drivers already included in XP?

I'm not looking for any help, I just wanted people to be aware of these potential threats. I'm not too upset about this because I planned on re-formatting and doing a fresh OS install before this even happened. But I figured not everybody is as anal about checking system processes as I am so I'm putting this out there. If there are any questions or if anyone wants to examine the exe file just let me know.

Btw, I deleted the two 1.33MB folders and the pencam still works...hmmm. Be careful out there.

 

Hello MoneyMike, and Welcome to the forums.

I am currently in the means of reviewing over your post.

 

Hello MoneyMike,

Thank you very much for the interesting post. Unfortunately, this is not relatively new, and has been going on for quite sometime. There has even been some software put out to prevent such things as AutoRun Eater and FlashDisinfector and others exist. So, what I would suggest is getting a copy of either, and scanning your flash drive. Thanks once again.