Australia's Leading Computer Emergency Response Team

USB Malware
Date: 09 September 2011
Original URL:

Disclaimer: Due to the slight dramatisation that is about to occur I am going to refer to Joel (the one who actually did the attending and presenting) as "I" or "me" below. If you are not a fan of that, then have a read here.

Not too long ago (but exactly how long shall be kept secret to protect the innocent) I found myself presenting at a security related conference. In not untypical style they had a presentation laptop sitting on the podium waiting longingly for a presentation to display. Not wanting to be one to disappoint, I grabbed my trusty USB drive, and copied his presentation onto it.

As I was about the hand over my nice new clean USB drive containing a single file (presentation.pptx) I had a moment of hesitation. My memory went back to some interesting articles and images that I had seen. I quickly removed that thought from my mind, and got on with the pressing requirement of working up enough nervousness to allow a good level of hand shaking while presenting.

Fast forward approximately the amount of time that was not specified above, and I had reason to call upon my trusty flash drive once again. Upon inserting it I noticed not one, but four files and two folders! After a quick look, I knew something was wrong when I noticed that the USB drive had a "Drivers" folder and a "System.exe" file. Thankfully Ubuntu decided that it didn't like "System.exe" or "autorun.inf" and ignored them. Those files looked very much like some sort of malware to me, and a quick trip to VirusTotal confirmed it.

After wondering why everyone keeps calling their malware "Malware-gen", "Backdoor.Trojan" or "Generic", I saw a few "Wactier" names (thank you CAT-QuickHeal, Emsisoft, Ikarus, and Microsoft). Unfortunately the Encyclopedia entry didn't fill my need for answers - so I turned to Anubus for a nice quick "does it do anything interesting".

The short answer was not really :(
The longer answer was that it did a DNS lookup of "" (a No-IP subdomain), got "" in reply and then attempted some connections to TCP port 8765. It also added itself (or a copy in "C:\Documents and Settings\Administrator\Application Data\winlogon.exe") to autorun registry entries.

The USB drive has since been cleaned - hopefully the hot water won't corrode the metal connector.