Memory Sticks Complete with Pre-Loaded Malware

Following is an excerpt from a letter (see here) IBM had to send to recent trade show attendees:

Dear AusCERT Delegate,

At the AusCERT conference this week, you may have collected a complimentary USB key from the IBM booth. Unfortunately we have discovered that some of these USB keys contained malware and we suspect that all USB keys may be affected.

The malware is detected by the majority of current Anti Virus products [as at 20/05/2010] and been known since 2008.The malware is known by a number of names and is contained in the setup.exe and autorun.ini files. It is spread when the infected USB device is inserted into a Microsoft Windows workstation or server whereby the setup.exe and autorun.ini files run automatically.

Please do not use the USB key, and we ask that you return it to IBM at Reply Paid 120, PO Box 400, West Pennant Hills 2120.

If you have inserted the USB device into your Microsoft Windows machine, we suggest that you contact your IT administrator for assessment, remediation and removal, or you may want to take the precaution of performing the steps below.

Now you know why I never, NEVER keep the ubiquitous memory sticks (aka, flash drives) vendors distribute at trade shows. You might want to adopt the same policy. "Free" can be very expensive.

Now, I wonder if the same people who manufacture the flash drives also make POS terminals...