Welcome to SecurityForumz.com!
FAQFAQ    SearchSearch      ProfileProfile    Private MessagesPrivate Messages   Log inLog in

Win32/Agent.ONB Trojan virus built into an mp3 player rom

 
Goto page 1, 2
   Security Forums (Home) -> General Discussions RSS
Next:  Trendmicro Sysclean deleted lines from MVPS HOSTS..  
Author Message
GJ

External


Since: Dec 31, 2008
Posts: 4



(Msg. 1) Posted: Wed Dec 31, 2008 4:26 am
Post subject: Win32/Agent.ONB Trojan virus built into an mp3 player rom
Archived from groups: alt>comp>anti-virus (more info?)

My nephew was given a no-name mp3 player, which looks like a USB drive, for
Christmas.

When the MP3 Player is plugged into a USB port on our computer, it is
identified by Windows XP home as two devices :-



1) AMT_CDROM , a read only drive



2) MP3_PLAY, a drive which contains mp3 files to be played by the
player.





The AMT_CDROM drive contains some files which try to run as soon as the
player is plugged in using the Windows AUTORUN function. These files are in
a chip on the player and cannot be deleted.

These files are



autorun.inf

AMT.sn

start.exe



The result of this is that Windows tries to run the file "start.exe", and as
soon as this happens it is flagged by the anti-virus software (NODS32) as
containing the Win32/Agent.ONB Trojan virus



There are some references to this virus on the web, but nothing very useful
which I have found so far - the following has been translated from Italian
on a forum and relates a similar experience.



"Hello everyone I have a question to be asked: I bought an mp3 player
similar to your shuffle from china 2 gi
The problem is that if I connect off with usb cable to PC then turn fits ...
you see, it works and everything is ok ...
But if the spengo and then riaccendo tells me "device not recognized" and
then at the end asks me to reboot the PC.
But the main problem is that my view on the PC in addition to "removable
disk" also similar to a disc player that if I clicked on from the antivirus
(nod 32) recognize a file start.exe. "
"G: \ AMT.sn 'cabinet' BackupTool.exe - probably a variant of
Win32/PSW.Agent horse tr ** a"
the presence of a file infested by trojan.
The result is this: "G: \ start.exe - Win32/Agent.ONB horse tr ** a - error
while deleting - file is locked - error while deleting - file is locked -
error while deleting - file is blocked. "
of course I can not remove in any way .... this disc (AMT_CDROM) despite the
low level formatting does not delete them ... but still active ... I do is
safe to use? You can delete? "



I can't find any details on what the virus does, if it really exists, does.



Has anyone come across this before ? If there is a virus present, it seems
to be encoded into the rom chip on the mp3 player during it's manufacture.

I can't imagine the presence of the virus pattern is a coincidence because
the function of the start.exe must be fairly simple in this use .



Look forward to hearing of any similar incidents or anything else about this
one you can tell me.



Thanks,



GJ

 >> Stay informed about: Win32/Agent.ONB Trojan virus built into an mp3 player rom 
Back to top
Login to vote
matjaz.vencelj

External


Since: Dec 31, 2008
Posts: 1



(Msg. 2) Posted: Wed Dec 31, 2008 9:11 am
Post subject: Re: Win32/Agent.ONB Trojan virus built into an mp3 player rom [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)

Same here - just got three of them from an ebay seller. I managed to
repartition and reformat, but still opens a virtual cdrom with said
files... cheers M

 >> Stay informed about: Win32/Agent.ONB Trojan virus built into an mp3 player rom 
Back to top
Login to vote
David H. Lipman

External


Since: Jul 04, 2003
Posts: 1756



(Msg. 3) Posted: Wed Dec 31, 2008 11:22 am
Post subject: Re: Win32/Agent.ONB Trojan virus built into an mp3 player rom [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)

From: "GJ"

| My nephew was given a no-name mp3 player, which looks like a USB drive, for
| Christmas.

| When the MP3 Player is plugged into a USB port on our computer, it is
| identified by Windows XP home as two devices :-

| 1) AMT_CDROM , a read only drive
| 2) MP3_PLAY, a drive which contains mp3 files to be played by the
| player.

| The AMT_CDROM drive contains some files which try to run as soon as the
| player is plugged in using the Windows AUTORUN function. These files are in
| a chip on the player and cannot be deleted.

| These files are

| autorun.inf
| AMT.sn
| start.exe

| The result of this is that Windows tries to run the file "start.exe", and as
| soon as this happens it is flagged by the anti-virus software (NODS32) as
| containing the Win32/Agent.ONB Trojan virus

| There are some references to this virus on the web, but nothing very useful
| which I have found so far - the following has been translated from Italian
| on a forum and relates a similar experience.

| "Hello everyone I have a question to be asked: I bought an mp3 player
| similar to your shuffle from china 2 gi
| The problem is that if I connect off with usb cable to PC then turn fits ...
| you see, it works and everything is ok ...
| But if the spengo and then riaccendo tells me "device not recognized" and
| then at the end asks me to reboot the PC.
| But the main problem is that my view on the PC in addition to "removable
| disk" also similar to a disc player that if I clicked on from the antivirus
| (nod 32) recognize a file start.exe. "
"G:: \ AMT.sn 'cabinet' BackupTool.exe - probably a variant of
| Win32/PSW.Agent horse tr ** a"
| the presence of a file infested by trojan.
| The result is this: "G: \ start.exe - Win32/Agent.ONB horse tr ** a - error
| while deleting - file is locked - error while deleting - file is locked -
| error while deleting - file is blocked. "
| of course I can not remove in any way .... this disc (AMT_CDROM) despite the
| low level formatting does not delete them ... but still active ... I do is
| safe to use? You can delete? "

| I can't find any details on what the virus does, if it really exists, does.

| Has anyone come across this before ? If there is a virus present, it seems
| to be encoded into the rom chip on the mp3 player during it's manufacture.

| I can't imagine the presence of the virus pattern is a coincidence because
| the function of the start.exe must be fairly simple in this use .

| Look forward to hearing of any similar incidents or anything else about this
| one you can tell me.

| Thanks,

| GJ


It is an AutoRun worm. If Eset doesn't provide technical information on what this AutoRun
worm does, you'll have to provide the EXE file to Virus Total to see who else recognizes
this threat and see if they have technical information on what this AutoRun does.


Please submit a sample to Virus Total --
http://www.virustotal.com/flash/index_en.html
The submission will then be tested against many different AV vendor's scanners.
That will give you an idea what it is and who recognizes it. In addition Virus
Total will provide the sample to all participating vendors.

You can also submit a suspect, one at a time, via the following email URL...
mailto:scan@virustotal.com?subject=SCAN

When you get the report, please post back the exact results.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
 >> Stay informed about: Win32/Agent.ONB Trojan virus built into an mp3 player rom 
Back to top
Login to vote
GJ

External


Since: Dec 31, 2008
Posts: 4



(Msg. 4) Posted: Wed Dec 31, 2008 3:26 pm
Post subject: Re: Win32/Agent.ONB Trojan virus built into an mp3 player rom [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)

"David H. Lipman" wrote in message

> From: "GJ"
>
> | My nephew was given a no-name mp3 player, which looks like a USB drive,
> for
> | Christmas.
>
> | When the MP3 Player is plugged into a USB port on our computer, it is
> | identified by Windows XP home as two devices :-
>
> | 1) AMT_CDROM , a read only drive
> | 2) MP3_PLAY, a drive which contains mp3 files to be played by
> the
> | player.
>
> | The AMT_CDROM drive contains some files which try to run as soon as the
> | player is plugged in using the Windows AUTORUN function. These files are
> in
> | a chip on the player and cannot be deleted.
>
> | These files are
>
> | autorun.inf
> | AMT.sn
> | start.exe
>
> | The result of this is that Windows tries to run the file "start.exe",
> and as
> | soon as this happens it is flagged by the anti-virus software (NODS32)
> as
> | containing the Win32/Agent.ONB Trojan virus
>
> | There are some references to this virus on the web, but nothing very
> useful
> | which I have found so far - the following has been translated from
> Italian
> | on a forum and relates a similar experience.
>
> | "Hello everyone I have a question to be asked: I bought an mp3 player
> | similar to your shuffle from china 2 gi
> | The problem is that if I connect off with usb cable to PC then turn fits
> ...
> | you see, it works and everything is ok ...
> | But if the spengo and then riaccendo tells me "device not recognized"
> and
> | then at the end asks me to reboot the PC.
> | But the main problem is that my view on the PC in addition to "removable
> | disk" also similar to a disc player that if I clicked on from the
> antivirus
> | (nod 32) recognize a file start.exe. "
> "G:: \ AMT.sn 'cabinet' BackupTool.exe - probably a variant of
> | Win32/PSW.Agent horse tr ** a"
> | the presence of a file infested by trojan.
> | The result is this: "G: \ start.exe - Win32/Agent.ONB horse tr ** a -
> error
> | while deleting - file is locked - error while deleting - file is
> locked -
> | error while deleting - file is blocked. "
> | of course I can not remove in any way .... this disc (AMT_CDROM) despite
> the
> | low level formatting does not delete them ... but still active ... I do
> is
> | safe to use? You can delete? "
>
> | I can't find any details on what the virus does, if it really exists,
> does.
>
> | Has anyone come across this before ? If there is a virus present, it
> seems
> | to be encoded into the rom chip on the mp3 player during it's
> manufacture.
>
> | I can't imagine the presence of the virus pattern is a coincidence
> because
> | the function of the start.exe must be fairly simple in this use .
>
> | Look forward to hearing of any similar incidents or anything else about
> this
> | one you can tell me.
>
> | Thanks,
>
> | GJ
>
>
> It is an AutoRun worm. If Eset doesn't provide technical information on
> what this AutoRun
> worm does, you'll have to provide the EXE file to Virus Total to see who
> else recognizes
> this threat and see if they have technical information on what this
> AutoRun does.
>
>
> Please submit a sample to Virus Total --
> http://www.virustotal.com/flash/index_en.html
> The submission will then be tested against many different AV vendor's
> scanners.
> That will give you an idea what it is and who recognizes it. In addition
> Virus
> Total will provide the sample to all participating vendors.
>
> You can also submit a suspect, one at a time, via the following email
> URL...
> mailto:scan@virustotal.com?subject=SCAN
>
> When you get the report, please post back the exact results.
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
>
Will do, but the mp3 player is now in Ballarat - I'll have to wait until my
nephew comes back to Melbourne.

Thanks,

GJ
 >> Stay informed about: Win32/Agent.ONB Trojan virus built into an mp3 player rom 
Back to top
Login to vote
kurt wismer

External


Since: Jul 04, 2003
Posts: 1566



(Msg. 5) Posted: Wed Dec 31, 2008 9:36 pm
Post subject: Re: Win32/Agent.ONB Trojan virus built into an mp3 player rom [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)

GJ wrote:
> My nephew was given a no-name mp3 player, which looks like a USB drive, for
> Christmas.
>
> When the MP3 Player is plugged into a USB port on our computer, it is
> identified by Windows XP home as two devices :-
>
>
>
> 1) AMT_CDROM , a read only drive
>
>
>
> 2) MP3_PLAY, a drive which contains mp3 files to be played by the
> player.

this sounds like a variation on the U3 technology that certain usb flash
drives (notably the sandisk cruzer) come with... the technology allows
certain usb devices to bypass normal windows limitations on usb flash
drives (ie. normally usb drives initiate autoplay instead of autorun) by
presenting windows with 2 devices - one of them a CD drive (which by
default initiates autorun rather than autoplay)...

> The AMT_CDROM drive contains some files which try to run as soon as the
> player is plugged in using the Windows AUTORUN function. These files are in
> a chip on the player and cannot be deleted.

i think you may find that it is possible to delete these files, or more
accurately it should be possible to overwrite the partition on which
virtual cd drive exists with a new ISO file containing whatever you like...

it will almost certainly require special software specific to the
technology involved but i was able to 'neuter' the U3 installer on the
sandisk cruzer i bought earlier this year using just such a method...
unfortunately i don't know the name of the technology that would give
you the AMT_CDROM drive - a U3 disk would show U3 as the name of the cd
drive...

--
"it's not the right time to be sober
now the idiots have taken over
spreading like a social cancer,
is there an answer?"
 >> Stay informed about: Win32/Agent.ONB Trojan virus built into an mp3 player rom 
Back to top
Login to vote
Ernie B.

External


Since: Jun 18, 2008
Posts: 6



(Msg. 6) Posted: Wed Dec 31, 2008 9:59 pm
Post subject: Re: Win32/Agent.ONB Trojan virus built into an mp3 player rom [Login to view extended thread Info.]
Imported from groups: per prev. post (more info?)

Back to top
Login to vote
GJ

External


Since: Dec 31, 2008
Posts: 4



(Msg. 7) Posted: Thu Jan 01, 2009 12:26 am
Post subject: Re: Win32/Agent.ONB Trojan virus built into an mp3 player rom [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)

"Ernie B." wrote in message

> On Wed, 31 Dec 2008 16:36:17 -0500 kurt wismer wrote:
>
>> GJ wrote:
>> > My nephew was given a no-name mp3 player, which looks like a USB drive,
>> > for
>> > Christmas.
> <snip>
>> > 1) AMT_CDROM , a read only drive
>> >
>> >
>> >
>> > 2) MP3_PLAY, a drive which contains mp3 files to be played by
>> > the
>> > player.
> <snip>
>>
>> i think you may find that it is possible to delete these files, or more
>> accurately it should be possible to overwrite the partition on which
>> virtual cd drive exists with a new ISO file containing whatever you
>> like...
>>
>> it will almost certainly require special software specific to the
>> technology involved but i was able to 'neuter' the U3 installer on the
>> sandisk cruzer i bought earlier this year using just such a method...
>> unfortunately i don't know the name of the technology that would give
>> you the AMT_CDROM drive - a U3 disk would show U3 as the name of the cd
>> drive...
>>
> You might consider a LiveCD of gparted,
> <http://gparted.sourceforge.net/livecd.php>. It should be possible to
> delete
> the partition in question and then expand the remaining partition to
> occupy
> the entire drive.
> --
> Ernie B.
>
> Communication: The art of moving an idea from one mind to another,
> hopefully
> without distortion.

I don't think this is the same as the U3 system, which is based on a
software start-up and it's easy to delete the U3 system software files(I've
done this on my 4Gb Sandisk Cruzer). The files involved here seem to be in
a rom in the device and they are ungettable at if you get my drift. The evil
partition seems to be set up by hardware and the files can't be deleted.
GJ
 >> Stay informed about: Win32/Agent.ONB Trojan virus built into an mp3 player rom 
Back to top
Login to vote
kurt wismer

External


Since: Jul 04, 2003
Posts: 1566



(Msg. 8) Posted: Thu Jan 01, 2009 1:01 am
Post subject: Re: Win32/Agent.ONB Trojan virus built into an mp3 player rom [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)

GJ wrote:
[snip]
> I don't think this is the same as the U3 system, which is based on a
> software start-up and it's easy to delete the U3 system software files(I've
> done this on my 4Gb Sandisk Cruzer). The files involved here seem to be in
> a rom in the device and they are ungettable at if you get my drift. The evil
> partition seems to be set up by hardware and the files can't be deleted.

well, i don't know about your cruzer, but mine had files on the 'cd
drive' as well as on the normal usb drive... the ones on the 'cd drive'
were not editable in the normal way either - they were as read-only as
the contents of any CD in fact... but i was able to find software to
write a new ISO to that drive...

oh, and U3 is not purely software-based, the hardware itself has to be
different from a standard usb flash drive in order to report multiple
devices to windows... basically the hardware has to lie to your
computer, which is not a standard practice...

--
"it's not the right time to be sober
now the idiots have taken over
spreading like a social cancer,
is there an answer?"
 >> Stay informed about: Win32/Agent.ONB Trojan virus built into an mp3 player rom 
Back to top
Login to vote
kurt wismer

External


Since: Jul 04, 2003
Posts: 1566



(Msg. 9) Posted: Thu Jan 01, 2009 1:03 am
Post subject: Re: Win32/Agent.ONB Trojan virus built into an mp3 player rom [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)

Ernie B. wrote:
> On Wed, 31 Dec 2008 16:36:17 -0500 kurt wismer wrote:
[snip]
>> i think you may find that it is possible to delete these files, or more
>> accurately it should be possible to overwrite the partition on which
>> virtual cd drive exists with a new ISO file containing whatever you like...
>>
>> it will almost certainly require special software specific to the
>> technology involved but i was able to 'neuter' the U3 installer on the
>> sandisk cruzer i bought earlier this year using just such a method...
>> unfortunately i don't know the name of the technology that would give
>> you the AMT_CDROM drive - a U3 disk would show U3 as the name of the cd
>> drive...
>>
> You might consider a LiveCD of gparted,
> <http://gparted.sourceforge.net/livecd.php>. It should be possible to delete
> the partition in question and then expand the remaining partition to occupy
> the entire drive.

these aren't the same as logical partitions on a single physical
drive... the device reports 2 physical drives, one a removable drive and
one a cd drive...

--
"it's not the right time to be sober
now the idiots have taken over
spreading like a social cancer,
is there an answer?"
 >> Stay informed about: Win32/Agent.ONB Trojan virus built into an mp3 player rom 
Back to top
Login to vote
GJ

External


Since: Dec 31, 2008
Posts: 4



(Msg. 10) Posted: Thu Jan 01, 2009 8:26 am
Post subject: Re: Win32/Agent.ONB Trojan virus built into an mp3 player rom [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)

>
> these aren't the same as logical partitions on a single physical drive...
> the device reports 2 physical drives, one a removable drive and one a cd
> drive...

Yes, that's exactly what the mp3 player did.

Strangely I can't find this Win32/Agent.ONB virus listed anywhere in the
usual virus description libraries so I'm not sure how dangerous it is.

GJ
 >> Stay informed about: Win32/Agent.ONB Trojan virus built into an mp3 player rom 
Back to top
Login to vote
kurt wismer

External


Since: Jul 04, 2003
Posts: 1566



(Msg. 11) Posted: Thu Jan 01, 2009 6:51 pm
Post subject: Re: Win32/Agent.ONB Trojan virus built into an mp3 player rom [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)

GJ wrote:
>> these aren't the same as logical partitions on a single physical drive...
>> the device reports 2 physical drives, one a removable drive and one a cd
>> drive...
>
> Yes, that's exactly what the mp3 player did.
>
> Strangely I can't find this Win32/Agent.ONB virus listed anywhere in the
> usual virus description libraries so I'm not sure how dangerous it is.

i'm afraid there are far too many pieces of malware out there for them
to all have a description in an online database - and the family name
"agent" specifically is used for so many things that it is of little
help either... did you follow david's suggestion and submit it to
virustotal.com? i've tried running "agent.onb" through vgrep to find
what other scanners might call it but there were not results returned...

what david said is almost certainly true, it's an autorun worm, but any
additional capabilities it might have depends very much on getting a
description for that specific variant...

if the search for a description is fruitless you may have to assume the
worst (ie. stealth, password stealing, etc)...

another thing you *could* try, however, is to contact the company that
makes your scanner and ask if it's a false alarm or not (you'll probably
have to send them a copy of the file)... they should be able to clear up
some of your other questions too...

--
"it's not the right time to be sober
now the idiots have taken over
spreading like a social cancer,
is there an answer?"
 >> Stay informed about: Win32/Agent.ONB Trojan virus built into an mp3 player rom 
Back to top
Login to vote
pjdura

External


Since: Mar 16, 2009
Posts: 1



(Msg. 12) Posted: Mon Mar 16, 2009 9:02 am
Post subject: Re: Win32/Agent.ONB Trojan virus built into an mp3 player rom [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)

I had the same problem, but with the Trojan.Horse.PSW.Agent.YOM using
AVG 8.

And I SOLVED that, configuring my mp3 player to not auto music
transfer:

1) Press the Mp3 player configuration button to enter the configuration
Menu,

2) then choose the option: Sys
( It is the 5th option to the right: Msc, Rec, Voi, Fm, SYS, txt, tel )

3) Inside Sys configuration menu:, choose: Auto Music Transfer
( it is the 8th option to the righ: Record quality, Backlight time,
Color, Power Off, Replay set, Contrast, Languaje, AUTO MUSIC TRANSFER,
Memory info, Edition, Default, Exit )

4) Inside Auto Music Transfer: choose No ( close or disabled )

And after that, the next time you plug your mp3 player, you will not
see the AMT_CDROM again.

Hope that this would be usefull.


--
pjdura
------------------------------------------------------------------------
pjdura's Profile: http://forums.techarena.in/members/pjdura.htm
View this thread: http://forums.techarena.in/antivirus-software/1095733.htm

http://forums.techarena.in
 >> Stay informed about: Win32/Agent.ONB Trojan virus built into an mp3 player rom 
Back to top
Login to vote
josemartinezx




Joined: Sep 14, 2009
Posts: 1



(Msg. 13) Posted: Tue Sep 15, 2009 12:59 am
Post subject: Re: Win32/Agent.ONB Trojan virus built into an mp3 player ro [Login to view extended thread Info.]

I confirm that what pjdura did does the trick.

Thanks, pjdura, for sharing this.

Best regards,

-JM


pjdura wrote:
I had the same problem, but with the Trojan.Horse.PSW.Agent.YOM using
AVG 8.

And I SOLVED that, configuring my mp3 player to not auto music
transfer:

1) Press the Mp3 player configuration button to enter the configuration
Menu,

2) then choose the option: Sys
( It is the 5th option to the right: Msc, Rec, Voi, Fm, SYS, txt, tel )

3) Inside Sys configuration menu:, choose: Auto Music Transfer
( it is the 8th option to the righ: Record quality, Backlight time,
Color, Power Off, Replay set, Contrast, Languaje, AUTO MUSIC TRANSFER,
Memory info, Edition, Default, Exit )

4) Inside Auto Music Transfer: choose No ( close or disabled )

And after that, the next time you plug your mp3 player, you will not
see the AMT_CDROM again.

Hope that this would be usefull.


--
pjdura
------------------------------------------------------------------------
pjdura's Profile: http://forums.techarena.in/members/pjdura.htm
View this thread: http://forums.techarena.in/antivirus-software/1095733.htm

http://forums.techarena.in

 >> Stay informed about: Win32/Agent.ONB Trojan virus built into an mp3 player rom 
Back to top
Login to vote
aloysiaochsenbein

External


Since: Aug 10, 2012
Posts: 1



(Msg. 14) Posted: Fri Aug 10, 2012 9:06 am
Post subject: Re: Win32/Agent.ONB Trojan virus built into an mp3 player rom [Login to view extended thread Info.]
Archived from groups: alt>comp>anti-virus (more info?)

On Tuesday, December 30, 2008 10:25:02 PM UTC-5, GJ wrote:
> My nephew was given a no-name mp3 player, which looks like a USB drive, for
> Christmas.
>
> When the MP3 Player is plugged into a USB port on our computer, it is
> identified by Windows XP home as two devices :-
>
>
>
> 1) AMT_CDROM , a read only drive
>
>
>
> 2) MP3_PLAY, a drive which contains mp3 files to be played by the
> player.
>
>
>
>
>
> The AMT_CDROM drive contains some files which try to run as soon as the
> player is plugged in using the Windows AUTORUN function. These files are in
> a chip on the player and cannot be deleted.
>
> These files are
>
>
>
> autorun.inf
>
> AMT.sn
>
> start.exe
>
>
>
> The result of this is that Windows tries to run the file "start.exe", and as
> soon as this happens it is flagged by the anti-virus software (NODS32) as
> containing the Win32/Agent.ONB Trojan virus
>
>
>
> There are some references to this virus on the web, but nothing very useful
> which I have found so far - the following has been translated from Italian
> on a forum and relates a similar experience.
>
>
>
> "Hello everyone I have a question to be asked: I bought an mp3 player
> similar to your shuffle from china 2 gi
> The problem is that if I connect off with usb cable to PC then turn fits ....
> you see, it works and everything is ok ...
> But if the spengo and then riaccendo tells me "device not recognized" and
> then at the end asks me to reboot the PC.
> But the main problem is that my view on the PC in addition to "removable
> disk" also similar to a disc player that if I clicked on from the antivirus
> (nod 32) recognize a file start.exe. "
> "G: \ AMT.sn 'cabinet' BackupTool.exe - probably a variant of
> Win32/PSW.Agent horse tr ** a"
> the presence of a file infested by trojan.
> The result is this: "G: \ start.exe - Win32/Agent.ONB horse tr ** a - error
> while deleting - file is locked - error while deleting - file is locked -
> error while deleting - file is blocked. "
> of course I can not remove in any way .... this disc (AMT_CDROM) despite the
> low level formatting does not delete them ... but still active ... I do is
> safe to use? You can delete? "
>
>
>
> I can't find any details on what the virus does, if it really exists, does.
>
>
>
> Has anyone come across this before ? If there is a virus present, it seems
> to be encoded into the rom chip on the mp3 player during it's manufacture..
>
> I can't imagine the presence of the virus pattern is a coincidence because
> the function of the start.exe must be fairly simple in this use .
>
>
>
> Look forward to hearing of any similar incidents or anything else about this
> one you can tell me.
>
>
>
> Thanks,
>
>
>
> GJ

I have a RCA Mp3, and a Craig Mp3 and they both do the same thing. I hook it up, and then it tells me that a threat has been detected, and it tells me it's the trojan horse virus. I have done a little bit of research on this, and it tells me that a trojan horse virus, can be put on your computer by online games and other online things. It says that the trojan horse virus allows hackers into your computer, and they can hack your system...that's all I know.
 >> Stay informed about: Win32/Agent.ONB Trojan virus built into an mp3 player rom 
Back to top
Login to vote
David H. Lipman

External


Since: Jul 04, 2003
Posts: 1756



(Msg. 15) Posted: Fri Aug 10, 2012 12:40 pm
Post subject: Re: Win32/Agent.ONB Trojan virus built into an mp3 player rom [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)

From:

> On Tuesday, December 30, 2008 10:25:02 PM UTC-5, GJ wrote:
>> My nephew was given a no-name mp3 player, which looks like a USB drive,
>> for
>> Christmas.
>>
>> When the MP3 Player is plugged into a USB port on our computer, it is
>> identified by Windows XP home as two devices :-
>>
>> 1) AMT_CDROM , a read only drive
>>
>> 2) MP3_PLAY, a drive which contains mp3 files to be played by
>> the
>> player.
>>
>> The AMT_CDROM drive contains some files which try to run as soon as the
>> player is plugged in using the Windows AUTORUN function. These files are
>> in
>> a chip on the player and cannot be deleted.
>>
>> These files are
>>
>> autorun.inf
>>
>> AMT.sn
>>
>> start.exe
>>
>> The result of this is that Windows tries to run the file "start.exe", and
>> as
>> soon as this happens it is flagged by the anti-virus software (NODS32) as
>> containing the Win32/Agent.ONB Trojan virus
>>
>> There are some references to this virus on the web, but nothing very
>> useful
>> which I have found so far - the following has been translated from
>> Italian
>> on a forum and relates a similar experience.
>>
>> "Hello everyone I have a question to be asked: I bought an mp3 player
>> similar to your shuffle from china 2 gi
>> The problem is that if I connect off with usb cable to PC then turn fits
>> ...
>> you see, it works and everything is ok ...
>> But if the spengo and then riaccendo tells me "device not recognized" and
>> then at the end asks me to reboot the PC.
>> But the main problem is that my view on the PC in addition to "removable
>> disk" also similar to a disc player that if I clicked on from the
>> antivirus
>> (nod 32) recognize a file start.exe. "
>> "G: \ AMT.sn 'cabinet' BackupTool.exe - probably a variant of
>> Win32/PSW.Agent horse tr ** a"
>> the presence of a file infested by trojan.
>> The result is this: "G: \ start.exe - Win32/Agent.ONB horse tr ** a -
>> error
>> while deleting - file is locked - error while deleting - file is locked -
>> error while deleting - file is blocked. "
>> of course I can not remove in any way .... this disc (AMT_CDROM) despite
>> the
>> low level formatting does not delete them ... but still active ... I do
>> is
>> safe to use? You can delete? "
>>
>> I can't find any details on what the virus does, if it really exists,
>> does.
>>
>> Has anyone come across this before ? If there is a virus present, it
>> seems
>> to be encoded into the rom chip on the mp3 player during it's
>> manufacture.
>>
>> I can't imagine the presence of the virus pattern is a coincidence
>> because
>> the function of the start.exe must be fairly simple in this use .
>>
>> Look forward to hearing of any similar incidents or anything else about
>> this
>> one you can tell me.
>>
>> Thanks,
>>
>> GJ
>
> I have a RCA Mp3, and a Craig Mp3 and they both do the same thing. I hook
> it up, and then
> it tells me that a threat has been detected, and it tells me it's the
> trojan horse virus.
> I have done a little bit of research on this, and it tells me that a
> trojan horse virus,
> can be put on your computer by online games and other online things. It
> says that the
> trojan horse virus allows hackers into your computer, and they can hack
> your
> system...that's all I know.

You are answering a 4 year old post.

Either the infector is a virus or a trojan but there is no such thing as a
"trojan horse virus" albeit a trojan can be infected by a virus such as a
CyberGate RAT being infected with Parite or Sality.

--
Dave
Multi-AV Scanning Tool - http://multi-av.thespykiller.co.uk
http://www.pctipp.ch/downloads/dl/35905.asp
 >> Stay informed about: Win32/Agent.ONB Trojan virus built into an mp3 player rom 
Back to top
Login to vote
Display posts from previous:   
Related Topics:
Trojan.Win32.Agent - Hi Folks..... I discovered this trojan using a-Squared.....EZ Trust, Spybot and AdAware (among a few I ran) did not alert on it. A-Squared called it "Trojan.Win32.Autoit.b" I fired the infected files off to Virus Total and got the followin...

trojan.win32.agent.akk ?? - Hi guys , this browser hijacker is driving me crazy right now. Is there a fix for this , or any commercially available anti-virus software that I can buy to eliminate this from my pc without having to re-install internet explorer ? thanks for any hel...

Please ehelp me remove trojan.win32.agent.akk - Hi guys, I've tried all number of solutions and cannot get rid of this browser hijacker trojan.win32.agent.akk . Any help would be much appreciated thanks

Advice Avast founf Virus Win32:Trojan-gen - I found a virus today on the computer and followed the instruction to remove it and put it in the chest. Now that it is safely in the chest i am not sure whether to leave it there or should I delete it? Can look at the file found in ( PATH ) below and..

trojan Agent.EF - I can't find any reference via Google to the EF version. Is it new? It showed up on my pc in the file Dc2799.dll which I deleted by emptying the recycle bin. Leo
   Security Forums (Home) -> General Discussions All times are: Pacific Time (US & Canada)
Goto page 1, 2
Page 1 of 2

 
You can post new topics in this forum
You can reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



[ Contact us | Terms of Service/Privacy Policy ]