Malware from MP3 player

L

Lauren

My apologies if this is the wrong group. I recently bought a Lasonic
MP-02GY MP3 player from Fry's and have found it loads a program called
jjjha.exe which appears to be sending information whenever a google search
is done to a website in China. The device has an autorun inf which changes
the right click menu for the drive and runs an exe on the root of the
device. It loads a fake svchost file into Windows/inf and sets an autorun
key. The svchost then loads and reloads the jjjha.exe which monitors the
browser. Once you stop the svchost process it is not to bad to remove
everything. I don't know where something like this should be reported.

Thanks
Lauren
 
D

David H. Lipman

From: "Lauren" <blah@blahblah.blah>

| My apologies if this is the wrong group. I recently bought a Lasonic
| MP-02GY MP3 player from Fry's and have found it loads a program called
| jjjha.exe which appears to be sending information whenever a google search
| is done to a website in China. The device has an autorun inf which changes
| the right click menu for the drive and runs an exe on the root of the
| device. It loads a fake svchost file into Windows/inf and sets an autorun
| key. The svchost then loads and reloads the jjjha.exe which monitors the
| browser. Once you stop the svchost process it is not to bad to remove
| everything. I don't know where something like this should be reported.
|
| Thanks
| Lauren
|

Before it can be reported, jjjha.exe *must* be intentified. Then once it is identified as
malware you should file a formal complaint with Fry's as well as the Attorney General of
your state.

The following is how you should go about identifying the file...


Please submit a sample to Virus Total --
http://www.virustotal.com/flash/index_en.html
The submission will then be tested against many different AV vendor's scanners.
That will give you an idea what it is and who recognizes it. In addition, unless told
otherwise, Virus Total will provide the sample to all participating vendors.

You can also submit a suspect, one at a time, via the following email URL...
mailto:scan@virustotal.com?subject=SCAN

When you get the report, please post back the exact results and use the report as proof of
the malware infection.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm
 
M

Milo (MSPSS)

you can submit a copy of such here

http://support.microsoft.com/kb/921161/en-us

--
Milo
MSPSS


"Lauren" wrote:

> My apologies if this is the wrong group. I recently bought a Lasonic
> MP-02GY MP3 player from Fry's and have found it loads a program called
> jjjha.exe which appears to be sending information whenever a google search
> is done to a website in China. The device has an autorun inf which changes
> the right click menu for the drive and runs an exe on the root of the
> device. It loads a fake svchost file into Windows/inf and sets an autorun
> key. The svchost then loads and reloads the jjjha.exe which monitors the
> browser. Once you stop the svchost process it is not to bad to remove
> everything. I don't know where something like this should be reported.
>
> Thanks
> Lauren
>
>
>
 
S

Sharon Franks

Google blocks certain Chinese websites and censors others, perhaps since
this is an MP3 player that software may aid in the censoring.


--

Sharon Franks
MCC group
Microsoft Certified Solutions Developer (MCSD)
Microsoft Certified Trainer (MCT).



"Lauren" <blah@blahblah.blah> wrote in message
news:e173$IzwHHA.1168@TK2MSFTNGP02.phx.gbl...
> My apologies if this is the wrong group. I recently bought a Lasonic
> MP-02GY MP3 player from Fry's and have found it loads a program called
> jjjha.exe which appears to be sending information whenever a google search
> is done to a website in China. The device has an autorun inf which
> changes the right click menu for the drive and runs an exe on the root of
> the device. It loads a fake svchost file into Windows/inf and sets an
> autorun key. The svchost then loads and reloads the jjjha.exe which
> monitors the browser. Once you stop the svchost process it is not to bad
> to remove everything. I don't know where something like this should be
> reported.
>
> Thanks
> Lauren
>
 
L

Lauren

Heres the results for the svchost file :


Antivirus



Version



Update



Result
AhnLab-V3 2007.7.11.1 07.11.2007 no virus found
AntiVir 7.4.0.39 07.10.2007 TR/VB.Yongfu
Authentium 4.93.8 07.10.2007 no virus found
Avast 4.7.997.0 07.11.2007 no virus found
AVG 7.5.0.476 07.10.2007 Worm/Delf.CRQ
BitDefender 7.2 07.11.2007 no virus found
CAT-QuickHeal 9.00 07.10.2007 (Suspicious) - DNAScan
ClamAV devel-20070416 07.11.2007 no virus found
DrWeb 4.33 07.11.2007 no virus found
eSafe 7.0.15.0 07.10.2007 suspicious Trojan/Worm
eTrust-Vet 30.8.3778 07.10.2007 no virus found
Ewido 4.0 07.10.2007 no virus found
FileAdvisor 1 07.11.2007 no virus found
Fortinet 2.91.0.0 07.11.2007 VBWorm.C
F-Prot 4.3.2.48 07.10.2007 no virus found
Ikarus T3.1.1.8 07.11.2007 Win32.SuspectCrc
Kaspersky 4.0.2.24 07.11.2007 Virus.Win32.AutoRun.cy
McAfee 5071 07.10.2007 no virus found
Microsoft 1.2704 07.11.2007 TrojanDownloader:Win32/Banload.DC
NOD32v2 2390 07.10.2007 no virus found
Norman 5.80.02 07.10.2007 no virus found
Panda 9.0.0.4 07.11.2007 Adware/SearchExplorer
Sophos 4.19.0 07.06.2007 Mal/VBWorm-C
Sunbelt 2.2.907.0 07.11.2007 no virus found
Symantec 10 07.11.2007 W32.SillyFDC
TheHacker 6.1.6.144 07.09.2007 no virus found
VBA32 3.12.0.2 07.10.2007 no virus found
VirusBuster 4.3.23:9 07.10.2007 no virus found
Webwasher-Gateway 6.0.1 07.11.2007 Trojan.VB.Yongfu


Aditional Information
File size: 15872 bytes
MD5: 103bd3254c4aa8786ed1545261238d8f
SHA1: d08d7572b4a471216fa92967180887f995831a6a
packers: UPX
packers: UPX
packers: UPX

"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
news:uHNN3NzwHHA.2040@TK2MSFTNGP03.phx.gbl...
> From: "Lauren" <blah@blahblah.blah>
>
> | My apologies if this is the wrong group. I recently bought a Lasonic
> | MP-02GY MP3 player from Fry's and have found it loads a program called
> | jjjha.exe which appears to be sending information whenever a google
> search
> | is done to a website in China. The device has an autorun inf which
> changes
> | the right click menu for the drive and runs an exe on the root of the
> | device. It loads a fake svchost file into Windows/inf and sets an
> autorun
> | key. The svchost then loads and reloads the jjjha.exe which monitors
> the
> | browser. Once you stop the svchost process it is not to bad to remove
> | everything. I don't know where something like this should be reported.
> |
> | Thanks
> | Lauren
> |
>
> Before it can be reported, jjjha.exe *must* be intentified. Then once it
> is identified as
> malware you should file a formal complaint with Fry's as well as the
> Attorney General of
> your state.
>
> The following is how you should go about identifying the file...
>
>
> Please submit a sample to Virus Total --
> http://www.virustotal.com/flash/index_en.html
> The submission will then be tested against many different AV vendor's
> scanners.
> That will give you an idea what it is and who recognizes it. In addition,
> unless told
> otherwise, Virus Total will provide the sample to all participating
> vendors.
>
> You can also submit a suspect, one at a time, via the following email
> URL...
> mailto:scan@virustotal.com?subject=SCAN
>
> When you get the report, please post back the exact results and use the
> report as proof of
> the malware infection.
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> http://www.ik-cs.com/got-a-virus.htm
>
>
 
L

Lauren

Here are the results for the second file which had renamed itself.


Antivirus Version Update Result
AhnLab-V3 2007.7.11.1 07.11.2007 no virus found
AntiVir 7.4.0.39 07.10.2007 TR/VB.Yongfu
Authentium 4.93.8 07.10.2007 no virus found
Avast 4.7.997.0 07.11.2007 no virus found
AVG 7.5.0.476 07.10.2007 Worm/Delf.CRQ
BitDefender 7.2 07.11.2007 no virus found
CAT-QuickHeal 9.00 07.10.2007 (Suspicious) - DNAScan
ClamAV devel-20070416 07.11.2007 no virus found
DrWeb 4.33 07.11.2007 no virus found
eSafe 7.0.15.0 07.10.2007 suspicious Trojan/Worm
eTrust-Vet 30.8.3778 07.10.2007 no virus found
Ewido 4.0 07.10.2007 no virus found
FileAdvisor 1 07.11.2007 no virus found
Fortinet 2.91.0.0 07.11.2007 VBWorm.C
F-Prot 4.3.2.48 07.10.2007 no virus found
Ikarus T3.1.1.8 07.11.2007 Win32.SuspectCrc
Kaspersky 4.0.2.24 07.11.2007 Virus.Win32.AutoRun.cy
McAfee 5071 07.10.2007 no virus found
Microsoft 1.2704 07.11.2007 TrojanDownloader:Win32/Banload.DC
NOD32v2 2390 07.10.2007 no virus found
Norman 5.80.02 07.10.2007 no virus found
Panda 9.0.0.4 07.11.2007 Adware/SearchExplorer
Sophos 4.19.0 07.06.2007 Mal/VBWorm-C
Sunbelt 2.2.907.0 07.11.2007 no virus found
Symantec 10 07.11.2007 W32.SillyFDC
TheHacker 6.1.6.144 07.09.2007 no virus found
VBA32 3.12.0.2 07.10.2007 no virus found
VirusBuster 4.3.23:9 07.10.2007 no virus found
Webwasher-Gateway 6.0.1 07.11.2007 Trojan.VB.Yongfu


Aditional Information
File size: 15872 bytes
MD5: 103bd3254c4aa8786ed1545261238d8f
SHA1: d08d7572b4a471216fa92967180887f995831a6a
packers: UPX
packers: UPX
packers: UPX



"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
news:uHNN3NzwHHA.2040@TK2MSFTNGP03.phx.gbl...
> From: "Lauren" <blah@blahblah.blah>
>
> | My apologies if this is the wrong group. I recently bought a Lasonic
> | MP-02GY MP3 player from Fry's and have found it loads a program called
> | jjjha.exe which appears to be sending information whenever a google
> search
> | is done to a website in China. The device has an autorun inf which
> changes
> | the right click menu for the drive and runs an exe on the root of the
> | device. It loads a fake svchost file into Windows/inf and sets an
> autorun
> | key. The svchost then loads and reloads the jjjha.exe which monitors
> the
> | browser. Once you stop the svchost process it is not to bad to remove
> | everything. I don't know where something like this should be reported.
> |
> | Thanks
> | Lauren
> |
>
> Before it can be reported, jjjha.exe *must* be intentified. Then once it
> is identified as
> malware you should file a formal complaint with Fry's as well as the
> Attorney General of
> your state.
>
> The following is how you should go about identifying the file...
>
>
> Please submit a sample to Virus Total --
> http://www.virustotal.com/flash/index_en.html
> The submission will then be tested against many different AV vendor's
> scanners.
> That will give you an idea what it is and who recognizes it. In addition,
> unless told
> otherwise, Virus Total will provide the sample to all participating
> vendors.
>
> You can also submit a suspect, one at a time, via the following email
> URL...
> mailto:scan@virustotal.com?subject=SCAN
>
> When you get the report, please post back the exact results and use the
> report as proof of
> the malware infection.
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> http://www.ik-cs.com/got-a-virus.htm
>
>
 
L

Lauren

Thanks for the tip. I submitted the files.


"Milo (MSPSS)" <v-4jpaca@mssupport.microsoft.com> wrote in message
news:5AAB12C8-EC68-4D20-8419-F03974D080A2@microsoft.com...
> you can submit a copy of such here
>
> http://support.microsoft.com/kb/921161/en-us
>
> --
> Milo
> MSPSS
>
>
> "Lauren" wrote:
>
>> My apologies if this is the wrong group. I recently bought a Lasonic
>> MP-02GY MP3 player from Fry's and have found it loads a program called
>> jjjha.exe which appears to be sending information whenever a google
>> search
>> is done to a website in China. The device has an autorun inf which
>> changes
>> the right click menu for the drive and runs an exe on the root of the
>> device. It loads a fake svchost file into Windows/inf and sets an
>> autorun
>> key. The svchost then loads and reloads the jjjha.exe which monitors the
>> browser. Once you stop the svchost process it is not to bad to remove
>> everything. I don't know where something like this should be reported.
>>
>> Thanks
>> Lauren
>>
>>
>>
 
J

jesburgers

"Lauren" wrote:

> My apologies if this is the wrong group. I recently bought a Lasonic
> MP-02GY MP3 player from Fry's and have found it loads a program called
> jjjha.exe which appears to be sending information whenever a google search
> is done to a website in China. The device has an autorun inf which changes
> the right click menu for the drive and runs an exe on the root of the
> device. It loads a fake svchost file into Windows/inf and sets an autorun
> key. The svchost then loads and reloads the jjjha.exe which monitors the
> browser. Once you stop the svchost process it is not to bad to remove
> everything. I don't know where something like this should be reported.
>
> Thanks
> Lauren
>
>
>
 
J

jesburgers

> Hi,
same experience when I bought a mp3-player via ebay (1 GB mp3 player
shuffle). The program "icygddkg.exe" contains the malware trojan TR/VB.Yongfu.


My antivirus program ANTIVIR did recognize and killed it. Anyway this lousy
chinese programm did read my outlook adressbook. Short time afterwards a lot
of chinese spam emails occured to my partners.

My Advice: By the original products.
 
L

Lauren

I bought mine from Fry's, a well known outlet.
Lauren
"jesburgers" <jesburgers@discussions.microsoft.com> wrote in message
news:64D19409-756D-49E8-8032-AE4276B9FF67@microsoft.com...
>> Hi,
> same experience when I bought a mp3-player via ebay (1 GB mp3 player
> shuffle). The program "icygddkg.exe" contains the malware trojan
> TR/VB.Yongfu.
>
>
> My antivirus program ANTIVIR did recognize and killed it. Anyway this
> lousy
> chinese programm did read my outlook adressbook. Short time afterwards a
> lot
> of chinese spam emails occured to my partners.
>
> My Advice: By the original products.
 
You must log in or register to reply here.

Similar threads

D
Agptek Mp3 player wont play any music files on my SD card
Replies
0
Views
22
Dee _025
D
B
Computer continues opening an mp3 player on startup, and reopens it after I close it, interupting work.
Replies
0
Views
110
Brody Cannon
B
D
Windows Media Player is burning my MP3 music files as .CDA files.
Replies
0
Views
157
downwindpete
D
M
Trying to find MP3 music information
Replies
0
Views
159
mollie1950
M
B
AGPTEK MP3 Player not recognized by my computer at all! Please help!
Replies
0
Views
296
BryceFlora
B
Back
Top Bottom