Malware from MP3 player

  • Thread starter Thread starter Lauren
  • Start date Start date
L

Lauren

Guest
My apologies if this is the wrong group. I recently bought a Lasonic
MP-02GY MP3 player from Fry's and have found it loads a program called
jjjha.exe which appears to be sending information whenever a google search
is done to a website in China. The device has an autorun inf which changes
the right click menu for the drive and runs an exe on the root of the
device. It loads a fake svchost file into Windows/inf and sets an autorun
key. The svchost then loads and reloads the jjjha.exe which monitors the
browser. Once you stop the svchost process it is not to bad to remove
everything. I don't know where something like this should be reported.

Thanks
Lauren
 
From: "Lauren" <blah@blahblah.blah>

| My apologies if this is the wrong group. I recently bought a Lasonic
| MP-02GY MP3 player from Fry's and have found it loads a program called
| jjjha.exe which appears to be sending information whenever a google search
| is done to a website in China. The device has an autorun inf which changes
| the right click menu for the drive and runs an exe on the root of the
| device. It loads a fake svchost file into Windows/inf and sets an autorun
| key. The svchost then loads and reloads the jjjha.exe which monitors the
| browser. Once you stop the svchost process it is not to bad to remove
| everything. I don't know where something like this should be reported.
|
| Thanks
| Lauren
|

Before it can be reported, jjjha.exe *must* be intentified. Then once it is identified as
malware you should file a formal complaint with Fry's as well as the Attorney General of
your state.

The following is how you should go about identifying the file...


Please submit a sample to Virus Total --
http://www.virustotal.com/flash/index_en.html
The submission will then be tested against many different AV vendor's scanners.
That will give you an idea what it is and who recognizes it. In addition, unless told
otherwise, Virus Total will provide the sample to all participating vendors.

You can also submit a suspect, one at a time, via the following email URL...
mailto:scan@virustotal.com?subject=SCAN

When you get the report, please post back the exact results and use the report as proof of
the malware infection.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm
 
you can submit a copy of such here

http://support.microsoft.com/kb/921161/en-us

--
Milo
MSPSS


"Lauren" wrote:

> My apologies if this is the wrong group. I recently bought a Lasonic
> MP-02GY MP3 player from Fry's and have found it loads a program called
> jjjha.exe which appears to be sending information whenever a google search
> is done to a website in China. The device has an autorun inf which changes
> the right click menu for the drive and runs an exe on the root of the
> device. It loads a fake svchost file into Windows/inf and sets an autorun
> key. The svchost then loads and reloads the jjjha.exe which monitors the
> browser. Once you stop the svchost process it is not to bad to remove
> everything. I don't know where something like this should be reported.
>
> Thanks
> Lauren
>
>
>
 
Google blocks certain Chinese websites and censors others, perhaps since
this is an MP3 player that software may aid in the censoring.


--

Sharon Franks
MCC group
Microsoft Certified Solutions Developer (MCSD)
Microsoft Certified Trainer (MCT).



"Lauren" <blah@blahblah.blah> wrote in message
news:e173$IzwHHA.1168@TK2MSFTNGP02.phx.gbl...
> My apologies if this is the wrong group. I recently bought a Lasonic
> MP-02GY MP3 player from Fry's and have found it loads a program called
> jjjha.exe which appears to be sending information whenever a google search
> is done to a website in China. The device has an autorun inf which
> changes the right click menu for the drive and runs an exe on the root of
> the device. It loads a fake svchost file into Windows/inf and sets an
> autorun key. The svchost then loads and reloads the jjjha.exe which
> monitors the browser. Once you stop the svchost process it is not to bad
> to remove everything. I don't know where something like this should be
> reported.
>
> Thanks
> Lauren
>
 
Heres the results for the svchost file :


Antivirus



Version



Update



Result
AhnLab-V3 2007.7.11.1 07.11.2007 no virus found
AntiVir 7.4.0.39 07.10.2007 TR/VB.Yongfu
Authentium 4.93.8 07.10.2007 no virus found
Avast 4.7.997.0 07.11.2007 no virus found
AVG 7.5.0.476 07.10.2007 Worm/Delf.CRQ
BitDefender 7.2 07.11.2007 no virus found
CAT-QuickHeal 9.00 07.10.2007 (Suspicious) - DNAScan
ClamAV devel-20070416 07.11.2007 no virus found
DrWeb 4.33 07.11.2007 no virus found
eSafe 7.0.15.0 07.10.2007 suspicious Trojan/Worm
eTrust-Vet 30.8.3778 07.10.2007 no virus found
Ewido 4.0 07.10.2007 no virus found
FileAdvisor 1 07.11.2007 no virus found
Fortinet 2.91.0.0 07.11.2007 VBWorm.C
F-Prot 4.3.2.48 07.10.2007 no virus found
Ikarus T3.1.1.8 07.11.2007 Win32.SuspectCrc
Kaspersky 4.0.2.24 07.11.2007 Virus.Win32.AutoRun.cy
McAfee 5071 07.10.2007 no virus found
Microsoft 1.2704 07.11.2007 TrojanDownloader:Win32/Banload.DC
NOD32v2 2390 07.10.2007 no virus found
Norman 5.80.02 07.10.2007 no virus found
Panda 9.0.0.4 07.11.2007 Adware/SearchExplorer
Sophos 4.19.0 07.06.2007 Mal/VBWorm-C
Sunbelt 2.2.907.0 07.11.2007 no virus found
Symantec 10 07.11.2007 W32.SillyFDC
TheHacker 6.1.6.144 07.09.2007 no virus found
VBA32 3.12.0.2 07.10.2007 no virus found
VirusBuster 4.3.23:9 07.10.2007 no virus found
Webwasher-Gateway 6.0.1 07.11.2007 Trojan.VB.Yongfu


Aditional Information
File size: 15872 bytes
MD5: 103bd3254c4aa8786ed1545261238d8f
SHA1: d08d7572b4a471216fa92967180887f995831a6a
packers: UPX
packers: UPX
packers: UPX

"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
news:uHNN3NzwHHA.2040@TK2MSFTNGP03.phx.gbl...
> From: "Lauren" <blah@blahblah.blah>
>
> | My apologies if this is the wrong group. I recently bought a Lasonic
> | MP-02GY MP3 player from Fry's and have found it loads a program called
> | jjjha.exe which appears to be sending information whenever a google
> search
> | is done to a website in China. The device has an autorun inf which
> changes
> | the right click menu for the drive and runs an exe on the root of the
> | device. It loads a fake svchost file into Windows/inf and sets an
> autorun
> | key. The svchost then loads and reloads the jjjha.exe which monitors
> the
> | browser. Once you stop the svchost process it is not to bad to remove
> | everything. I don't know where something like this should be reported.
> |
> | Thanks
> | Lauren
> |
>
> Before it can be reported, jjjha.exe *must* be intentified. Then once it
> is identified as
> malware you should file a formal complaint with Fry's as well as the
> Attorney General of
> your state.
>
> The following is how you should go about identifying the file...
>
>
> Please submit a sample to Virus Total --
> http://www.virustotal.com/flash/index_en.html
> The submission will then be tested against many different AV vendor's
> scanners.
> That will give you an idea what it is and who recognizes it. In addition,
> unless told
> otherwise, Virus Total will provide the sample to all participating
> vendors.
>
> You can also submit a suspect, one at a time, via the following email
> URL...
> mailto:scan@virustotal.com?subject=SCAN
>
> When you get the report, please post back the exact results and use the
> report as proof of
> the malware infection.
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> http://www.ik-cs.com/got-a-virus.htm
>
>
 
Here are the results for the second file which had renamed itself.


Antivirus Version Update Result
AhnLab-V3 2007.7.11.1 07.11.2007 no virus found
AntiVir 7.4.0.39 07.10.2007 TR/VB.Yongfu
Authentium 4.93.8 07.10.2007 no virus found
Avast 4.7.997.0 07.11.2007 no virus found
AVG 7.5.0.476 07.10.2007 Worm/Delf.CRQ
BitDefender 7.2 07.11.2007 no virus found
CAT-QuickHeal 9.00 07.10.2007 (Suspicious) - DNAScan
ClamAV devel-20070416 07.11.2007 no virus found
DrWeb 4.33 07.11.2007 no virus found
eSafe 7.0.15.0 07.10.2007 suspicious Trojan/Worm
eTrust-Vet 30.8.3778 07.10.2007 no virus found
Ewido 4.0 07.10.2007 no virus found
FileAdvisor 1 07.11.2007 no virus found
Fortinet 2.91.0.0 07.11.2007 VBWorm.C
F-Prot 4.3.2.48 07.10.2007 no virus found
Ikarus T3.1.1.8 07.11.2007 Win32.SuspectCrc
Kaspersky 4.0.2.24 07.11.2007 Virus.Win32.AutoRun.cy
McAfee 5071 07.10.2007 no virus found
Microsoft 1.2704 07.11.2007 TrojanDownloader:Win32/Banload.DC
NOD32v2 2390 07.10.2007 no virus found
Norman 5.80.02 07.10.2007 no virus found
Panda 9.0.0.4 07.11.2007 Adware/SearchExplorer
Sophos 4.19.0 07.06.2007 Mal/VBWorm-C
Sunbelt 2.2.907.0 07.11.2007 no virus found
Symantec 10 07.11.2007 W32.SillyFDC
TheHacker 6.1.6.144 07.09.2007 no virus found
VBA32 3.12.0.2 07.10.2007 no virus found
VirusBuster 4.3.23:9 07.10.2007 no virus found
Webwasher-Gateway 6.0.1 07.11.2007 Trojan.VB.Yongfu


Aditional Information
File size: 15872 bytes
MD5: 103bd3254c4aa8786ed1545261238d8f
SHA1: d08d7572b4a471216fa92967180887f995831a6a
packers: UPX
packers: UPX
packers: UPX



"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
news:uHNN3NzwHHA.2040@TK2MSFTNGP03.phx.gbl...
> From: "Lauren" <blah@blahblah.blah>
>
> | My apologies if this is the wrong group. I recently bought a Lasonic
> | MP-02GY MP3 player from Fry's and have found it loads a program called
> | jjjha.exe which appears to be sending information whenever a google
> search
> | is done to a website in China. The device has an autorun inf which
> changes
> | the right click menu for the drive and runs an exe on the root of the
> | device. It loads a fake svchost file into Windows/inf and sets an
> autorun
> | key. The svchost then loads and reloads the jjjha.exe which monitors
> the
> | browser. Once you stop the svchost process it is not to bad to remove
> | everything. I don't know where something like this should be reported.
> |
> | Thanks
> | Lauren
> |
>
> Before it can be reported, jjjha.exe *must* be intentified. Then once it
> is identified as
> malware you should file a formal complaint with Fry's as well as the
> Attorney General of
> your state.
>
> The following is how you should go about identifying the file...
>
>
> Please submit a sample to Virus Total --
> http://www.virustotal.com/flash/index_en.html
> The submission will then be tested against many different AV vendor's
> scanners.
> That will give you an idea what it is and who recognizes it. In addition,
> unless told
> otherwise, Virus Total will provide the sample to all participating
> vendors.
>
> You can also submit a suspect, one at a time, via the following email
> URL...
> mailto:scan@virustotal.com?subject=SCAN
>
> When you get the report, please post back the exact results and use the
> report as proof of
> the malware infection.
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> http://www.ik-cs.com/got-a-virus.htm
>
>
 
Thanks for the tip. I submitted the files.


"Milo (MSPSS)" <v-4jpaca@mssupport.microsoft.com> wrote in message
news:5AAB12C8-EC68-4D20-8419-F03974D080A2@microsoft.com...
> you can submit a copy of such here
>
> http://support.microsoft.com/kb/921161/en-us
>
> --
> Milo
> MSPSS
>
>
> "Lauren" wrote:
>
>> My apologies if this is the wrong group. I recently bought a Lasonic
>> MP-02GY MP3 player from Fry's and have found it loads a program called
>> jjjha.exe which appears to be sending information whenever a google
>> search
>> is done to a website in China. The device has an autorun inf which
>> changes
>> the right click menu for the drive and runs an exe on the root of the
>> device. It loads a fake svchost file into Windows/inf and sets an
>> autorun
>> key. The svchost then loads and reloads the jjjha.exe which monitors the
>> browser. Once you stop the svchost process it is not to bad to remove
>> everything. I don't know where something like this should be reported.
>>
>> Thanks
>> Lauren
>>
>>
>>
 
"Lauren" wrote:

> My apologies if this is the wrong group. I recently bought a Lasonic
> MP-02GY MP3 player from Fry's and have found it loads a program called
> jjjha.exe which appears to be sending information whenever a google search
> is done to a website in China. The device has an autorun inf which changes
> the right click menu for the drive and runs an exe on the root of the
> device. It loads a fake svchost file into Windows/inf and sets an autorun
> key. The svchost then loads and reloads the jjjha.exe which monitors the
> browser. Once you stop the svchost process it is not to bad to remove
> everything. I don't know where something like this should be reported.
>
> Thanks
> Lauren
>
>
>
 
> Hi,
same experience when I bought a mp3-player via ebay (1 GB mp3 player
shuffle). The program "icygddkg.exe" contains the malware trojan TR/VB.Yongfu.


My antivirus program ANTIVIR did recognize and killed it. Anyway this lousy
chinese programm did read my outlook adressbook. Short time afterwards a lot
of chinese spam emails occured to my partners.

My Advice: By the original products.
 
I bought mine from Fry's, a well known outlet.
Lauren
"jesburgers" <jesburgers@discussions.microsoft.com> wrote in message
news:64D19409-756D-49E8-8032-AE4276B9FF67@microsoft.com...
>> Hi,
> same experience when I bought a mp3-player via ebay (1 GB mp3 player
> shuffle). The program "icygddkg.exe" contains the malware trojan
> TR/VB.Yongfu.
>
>
> My antivirus program ANTIVIR did recognize and killed it. Anyway this
> lousy
> chinese programm did read my outlook adressbook. Short time afterwards a
> lot
> of chinese spam emails occured to my partners.
>
> My Advice: By the original products.
 
You must log in or register to reply here.

Similar threads

D
Agptek Mp3 player wont play any music files on my SD card
Replies
0
Views
1
Dee _025
D
D
Agptek Mp3 player wont play any music files on my SD card
Replies
0
Views
1
Dee _025
D
D
Use my new Mp3 player as a portable device?
Replies
0
Views
1
Dee _025
D
V
Need help on syncing mp3 player with Windows 11 Media Player
Replies
0
Views
6
VirginiaHutchinson1
V
V
Need help on syncing mp3 player with Windows 11 Media Player
Replies
0
Views
5
VirginiaHutchinson1
V
Back
Top