Glad you found that- saved me some typing ;) And yes, there are thumb drives available that emulate CD-ROM drives, thus allowing potential "autorun" code to be executed upon insertion of a usb thumb (that sounds kind of kinky, actually). But even if someone has left "autorun" on for CD drives, the interactive user would have to be an administrator for any rootkit or such to load successfully. Note that in Vista, the user has much greater granular control over autorun actions for a variety of devices via the AutoPlay control panel application.
So to answer the OP's question, yes, technically a thumb drive can automatically execute code on a target upon insertion. But in this case, I doubt that really happened as all the machine the vendor had been using with the drive would most likely be exhibiting the same behavior. Also, the high number of unrelated symptoms is not indicative of a single rootkit (from what I've seen) - I mean, from the .pst file being gone to having a new toolbar, to IE not working to no utilities picking anything up makes me think someone went out of their way to fubar that box... Just me, though... t On 12/13/06 4:02 PM, "Murda Mcloud" <[EMAIL PROTECTED]> spoketh to all: > Just found this to do with U3 technology- I wonder if that could have > something to do with the problems? > > http://www.sandisk.com/Retail/Default.aspx?CatID=1450#Q5 > > > > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On > Behalf Of [EMAIL PROTECTED] > Sent: Wednesday, December 13, 2006 9:05 AM > To: [email protected] > Subject: strange new virus > > VAR in Honolulu has a previously squeaky clean XP system now infected with > sonmething strange: > Symptom list: > 1) All desktop icons disappeared > 2) When recreated by hand, some days later they all were rendered > un-runnable because they had all been renamed with an additional .lnk > suffix. > 3) On every boot, after the XP splash screen, but before User Login (2 > profiles), there is a 4" x 5" screen with an Exit and an OK button. The > screen shows a black background which overlays the XP blue login screen; it > looks like a VB screen. The name in the top bar changes on every boot, such > as c:\windows\system32\mup.sys, or i20mgr.sys, etc. This full file name is > preceded by usually 8 small box characters. Inside the white body of the > screen there are a few special characters: [\} and a character that looks > like an inverse equal sign, standing vertically. > 4) CTRL-ALT-DEL at this point shows you flashes of blue underneath > 5) The Outlook .PST file is missing > 6) My antivirus and all other SYSTRAY items are gone > 7) IE6 or IE7 won't connect to home page, instead Internet Properties opwns > on the General Tab > 8)Trend Micro PC-Cillin 2006 sees nothing, same with their Housecall and > WinSIC, or SYSCLEAN utilities. > 9) MS RootkitRevealer finds nothing. > > Infection route: while it could have been web browsing, or email, I really > think it came from an odd incident when a client came in with CAD files to > print on a thumb drive. Trend says thumbdrives don't infect PCs, though I've > looked at the U3.com software available for a SanDisk Cruzer (and several > other makes)and it seems like there's a CPU in it, because you can scan a > new PC for viruses using Avast from the thumb drive. > > > > AT one point they sent me a tool to fix the associations with applications, > so that now Start Programs run most apps. > > However, I've lost my email. This case has been open at Trend for more than > a month, and now they are telling me it is not a virus and don't worry. > > Not only that, when I call Trend Tech support, they hang up on me > repeatedly, or put my call back in the queue, or promise to work the next > day with me, and then don't. They want me to go away, but I think this is a > serious threat. > > CAN a thumbdrive infect a system? > Has anyone seen anything like this, or know how to respond to it and recover > my email (besides backup)? > > Thanks for any leads. > > That can't be correct, is it? > > --------------------------------------------------------------------------- > --------------------------------------------------------------------------- > > > > > --------------------------------------------------------------------------- > --------------------------------------------------------------------------- > > > --------------------------------------------------------------------------- ---------------------------------------------------------------------------
