Win32/Agent.ONB Trojan virus built into an mp3 player rom

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
My nephew was given a no-name mp3 player, which looks like a USB drive, for
Christmas.

When the MP3 Player is plugged into a USB port on our computer, it is
identified by Windows XP home as two devices :-



1)         AMT_CDROM , a read only drive



2)         MP3_PLAY,  a drive which contains mp3 files to be played by the
player.





The AMT_CDROM drive contains some files which try to run as soon as the
player is plugged in using the Windows AUTORUN function. These files are in
a chip on the player and cannot be deleted.

These files are



autorun.inf

AMT.sn

start.exe



The result of this is that Windows tries to run the file "start.exe", and as
soon as this happens it is flagged by the anti-virus software (NODS32) as
containing the Win32/Agent.ONB Trojan virus



There are some references to this virus on the web, but nothing very useful
which I have found so far - the following has been translated from Italian
on a forum and relates a similar experience.



"Hello everyone I have a question to be asked: I bought an mp3 player
similar to your shuffle from china 2 gi
The problem is that if I connect off with usb cable to PC then turn fits ...
you see, it works and everything is ok ...
But if the spengo and then riaccendo tells me "device not recognized" and
then at the end asks me to reboot the PC.
But the main problem is that my view on the PC in addition to "removable
disk" also similar to a disc player that if I clicked on from the antivirus
(nod 32) recognize a file start.exe. "
"G: \ AMT.sn 'cabinet' BackupTool.exe - probably a variant of
Win32/PSW.Agent horse tr ** a"
the presence of a file infested by trojan.
The result is this: "G: \ start.exe - Win32/Agent.ONB horse tr ** a - error
while deleting - file is locked - error while deleting - file is locked -
error while deleting - file is blocked. "
of course I can not remove in any way .... this disc (AMT_CDROM) despite the
low level formatting does not delete them ... but still active ... I do is
safe to use? You can delete? "



I can't find any details on what the virus does, if it really exists, does.



Has anyone come across this before ? If  there is a virus present, it seems
to be encoded into the rom chip on the mp3 player during it's manufacture.

I can't imagine the presence of the virus pattern is a coincidence because
the function of the start.exe must be fairly simple in this use .



Look forward to hearing of any similar incidents or anything else about this
one you can tell me.



Thanks,



GJ



Re: Win32/Agent.ONB Trojan virus built into an mp3 player rom


| My nephew was given a no-name mp3 player, which looks like a USB drive, for
| Christmas.

| When the MP3 Player is plugged into a USB port on our computer, it is
| identified by Windows XP home as two devices :-

| 1)         AMT_CDROM , a read only drive
| 2)         MP3_PLAY,  a drive which contains mp3 files to be played by the
| player.

| The AMT_CDROM drive contains some files which try to run as soon as the
| player is plugged in using the Windows AUTORUN function. These files are in
| a chip on the player and cannot be deleted.

| These files are

| autorun.inf
| AMT.sn
| start.exe

| The result of this is that Windows tries to run the file "start.exe", and as
| soon as this happens it is flagged by the anti-virus software (NODS32) as
| containing the Win32/Agent.ONB Trojan virus

| There are some references to this virus on the web, but nothing very useful
| which I have found so far - the following has been translated from Italian
| on a forum and relates a similar experience.

| "Hello everyone I have a question to be asked: I bought an mp3 player
| similar to your shuffle from china 2 gi
| The problem is that if I connect off with usb cable to PC then turn fits ...
| you see, it works and everything is ok ...
| But if the spengo and then riaccendo tells me "device not recognized" and
| then at the end asks me to reboot the PC.
| But the main problem is that my view on the PC in addition to "removable
| disk" also similar to a disc player that if I clicked on from the antivirus
| (nod 32) recognize a file start.exe. "
"G:: \ AMT.sn 'cabinet' BackupTool.exe - probably a variant of
| Win32/PSW.Agent horse tr ** a"
| the presence of a file infested by trojan.
| The result is this: "G: \ start.exe - Win32/Agent.ONB horse tr ** a - error
| while deleting - file is locked - error while deleting - file is locked -
| error while deleting - file is blocked. "
| of course I can not remove in any way .... this disc (AMT_CDROM) despite the
| low level formatting does not delete them ... but still active ... I do is
| safe to use? You can delete? "

| I can't find any details on what the virus does, if it really exists, does.

| Has anyone come across this before ? If  there is a virus present, it seems
| to be encoded into the rom chip on the mp3 player during it's manufacture.

| I can't imagine the presence of the virus pattern is a coincidence because
| the function of the start.exe must be fairly simple in this use .

| Look forward to hearing of any similar incidents or anything else about this
| one you can tell me.

| Thanks,

| GJ


It is an AutoRun worm.  If Eset doesn't provide technical information on what
this AutoRun
worm does, you'll have to provide the EXE file to Virus Total to see who else
recognizes
this threat and see if they have technical information on what this AutoRun does.


Please submit a sample to Virus Total --
http://www.virustotal.com/flash/index_en.html
The submission will then be tested against many different AV vendor's scanners.
That will give you an idea what it is and who recognizes it.  In addition Virus
Total will provide the sample to all participating vendors.

You can also submit a suspect, one at a time, via the following email URL...
mailto:scan@virustotal.com?subject=SCAN

When you get the report, please post back the exact results.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp



Re: Win32/Agent.ONB Trojan virus built into an mp3 player rom

Same here - just got three of them from an ebay seller. I managed to
repartition and reformat, but still opens a virtual cdrom with said
files... cheers M

Re: Win32/Agent.ONB Trojan virus built into an mp3 player rom


Quoted text here. Click to load it
Will do, but the mp3 player is now in Ballarat - I'll have to wait until my
nephew comes back to Melbourne.

Thanks,

GJ



Re: Win32/Agent.ONB Trojan virus built into an mp3 player rom

GJ wrote:
Quoted text here. Click to load it

this sounds like a variation on the U3 technology that certain usb flash
drives (notably the sandisk cruzer) come with... the technology allows
certain usb devices to bypass normal windows limitations on usb flash
drives (ie. normally usb drives initiate autoplay instead of autorun) by
presenting windows with 2 devices - one of them a CD drive (which by
default initiates autorun rather than autoplay)...

Quoted text here. Click to load it

i think you may find that it is possible to delete these files, or more
accurately it should be possible to overwrite the partition on which
virtual cd drive exists with a new ISO file containing whatever you like...

it will almost certainly require special software specific to the
technology involved but i was able to 'neuter' the U3 installer on the
sandisk cruzer i bought earlier this year using just such a method...
unfortunately i don't know the name of the technology that would give
you the AMT_CDROM drive - a U3 disk would show U3 as the name of the cd
drive...

--
"it's not the right time to be sober
now the idiots have taken over
spreading like a social cancer,
is there an answer?"

Re: Win32/Agent.ONB Trojan virus built into an mp3 player rom

On Wed, 31 Dec 2008 16:36:17 -0500 kurt wismer wrote:

Quoted text here. Click to load it
<snip>
Quoted text here. Click to load it
<snip>
Quoted text here. Click to load it
You might consider a LiveCD of gparted,
<http://gparted.sourceforge.net/livecd.php .  It should be possible to delete
the partition in question and then expand the remaining partition to occupy
the entire drive.
--
Ernie B.

Communication:  The art of moving an idea from one mind to another, hopefully
without distortion.

Re: Win32/Agent.ONB Trojan virus built into an mp3 player rom


Quoted text here. Click to load it

I don't think this is the same as the U3 system, which is based on a
software start-up and it's easy to delete the U3 system software files(I've
done this on my 4Gb Sandisk Cruzer).  The files involved here seem to be in
a rom in the device and they are ungettable at if you get my drift. The evil
partition seems to be set up by hardware and the files can't be deleted.
GJ



Re: Win32/Agent.ONB Trojan virus built into an mp3 player rom

GJ wrote:
[snip]
Quoted text here. Click to load it

well, i don't know about your cruzer, but mine had files on the 'cd
drive' as well as on the normal usb drive... the ones on the 'cd drive'
were not editable in the normal way either - they were as read-only as
the contents of any CD in fact... but i was able to find software to
write a new ISO to that drive...

oh, and U3 is not purely software-based, the hardware itself has to be
different from a standard usb flash drive in order to report multiple
devices to windows... basically the hardware has to lie to your
computer, which is not a standard practice...

--
"it's not the right time to be sober
now the idiots have taken over
spreading like a social cancer,
is there an answer?"

Re: Win32/Agent.ONB Trojan virus built into an mp3 player rom

Ernie B. wrote:
Quoted text here. Click to load it
[snip]
Quoted text here. Click to load it

these aren't the same as logical partitions on a single physical
drive... the device reports 2 physical drives, one a removable drive and
one a cd drive...

--
"it's not the right time to be sober
now the idiots have taken over
spreading like a social cancer,
is there an answer?"

Re: Win32/Agent.ONB Trojan virus built into an mp3 player rom

Quoted text here. Click to load it

Yes, that's exactly what the mp3 player did.

Strangely I can't find this Win32/Agent.ONB virus listed anywhere in the
usual virus description libraries so I'm not sure how dangerous it is.

GJ



Re: Win32/Agent.ONB Trojan virus built into an mp3 player rom

GJ wrote:
Quoted text here. Click to load it

i'm afraid there are far too many pieces of malware out there for them
to all have a description in an online database - and the family name
"agent" specifically is used for so many things that it is of little
help either... did you follow david's suggestion and submit it to
virustotal.com? i've tried running "agent.onb" through vgrep to find
what other scanners might call it but there were not results returned...

what david said is almost certainly true, it's an autorun worm, but any
additional capabilities it might have depends very much on getting a
description for that specific variant...

if the search for a description is fruitless you may have to assume the
worst (ie. stealth, password stealing, etc)...

another thing you *could* try, however, is to contact the company that
makes your scanner and ask if it's a false alarm or not (you'll probably
have to send them a copy of the file)... they should be able to clear up
some of your other questions too...

--
"it's not the right time to be sober
now the idiots have taken over
spreading like a social cancer,
is there an answer?"

Re: Win32/Agent.ONB Trojan virus built into an mp3 player rom

Quoted text here. Click to load it

Your mp3 player looks like this? http://www.unibit.com.cn/English/products_ =
show.asp?id=3D323
If so, try to update firmware/iso with the tool provided in download
section. There are several models in that page. Good luck

Re: Win32/Agent.ONB Trojan virus built into an mp3 player rom


I had the same problem, but with the Trojan.Horse.PSW.Agent.YOM using
AVG 8.

And I SOLVED that, configuring my mp3 player to not auto music
transfer:

1) Press the Mp3 player configuration button to enter the configuration
Menu,

2) then choose the option: Sys
( It is the 5th option to the right: Msc, Rec, Voi, Fm, SYS, txt, tel )

3) Inside Sys configuration menu:, choose: Auto Music Transfer
( it is the 8th option to the righ:  Record quality, Backlight time,
Color, Power Off, Replay set, Contrast, Languaje, AUTO MUSIC TRANSFER,
Memory info, Edition, Default, Exit )

4) Inside Auto Music Transfer: choose No ( close or disabled )

And after that, the next time you plug your mp3 player, you will not
see the AMT_CDROM  again.

Hope that this would be usefull.


--
pjdura
------------------------------------------------------------------------
pjdura's Profile: http://forums.techarena.in/members/pjdura.htm
View this thread: http://forums.techarena.in/antivirus-software/1095733.htm

http://forums.techarena.in


Re: Win32/Agent.ONB Trojan virus built into an mp3 player rom


Hello!
I have the same problem, tried An USB vaccine and what you said, but i
simply don't have this 'configuration' on my mp3 here so i couldnt make
it through and the plus driver, with the Trojan does not let me open
files and send them to the mp3 player,
could you pls help me?

thanx in advance


--
aimie077
------------------------------------------------------------------------
aimie077's Profile: http://forums.techarena.in/members/96530.htm
View this thread: http://forums.techarena.in/antivirus-software/1095733.htm

http://forums.techarena.in


Re: Win32/Agent.ONB Trojan virus built into an mp3 player rom

On 05/05/2009 02:08 PM, aimie077 sent:
Quoted text here. Click to load it

Hello Aimie:

The problem with "stealing" the thread from GJ is that the focus can
change to you without a proper solution for GJ.

After reading this, please start a thread of your very own stating the
exact circumstances you believe you have this malware presently in your
system.  Please include the exact details of your OS and antimalware
application that reported it and the full pathname to the infection.

Please don't leave out the "small" details

Pete
--
1PW  @?6A62?FEH9:DE=6o2@=]4@> [r4o7t]

Re: Win32/Agent.ONB Trojan virus built into an mp3 player rom


Pjdura's fix worked for me.

It's not a virus, it's a feature that behaves like
a virus might (tries
to make things happen in your PC). I flipped the switch
shown in the 3rd
box above this one -- thanks, much pjdura.

Before, I got 2 new
drive letters when I connected up. F: had the same
3 files GJ listed, and G: was
my music, voice recordings, etc. (and the
PDF user manual - pretty slick). Now I
only get a G: drive. Disabling
the 'system' feature makes my oversize
postage-stamp-looking iVO-Sound
m220 4G MP3 player ($20 at Micro Center) a
simple USB device, not a
complicated one.

Before making the switch, I got a
popup asking if I wanted WinAmp to
control the music on my 'new' CD-ROM drive
(Auto M*u*s*i*c Transfer
never seemed to work, but it did spawn a nasty trojan
message) and then
a second popup with a Windows Explorer option (and a variety
of other
choices). Now I just get the second popup. The faux CD is gone, and I
only see the jumpdrive partition. I don't care. I don't get any more
trojan
virus scary popups, either. (FWIW, trojans are a completely
different breed of
pest, and no product finds even most of them. Nearly
all antivirus products
catch and try to kill essentially every virus, as
long as you let them update
every day. Windows Update should be on auto
or handled properly.)

The reason I
can't find any more info on psw.Agent.YOM is because it's
not harmful, it's not
really a trojan; it's just an action that's
recognized by Avast! antivirus (free
version) as hooking into my PC. I'm
being alerted to potentially dangerous
activity, but I understand that
it's harmless. Now it's "gone."

And, frankly, I
don't think I follow aimie077's issue at all. I don't
understand how this
feature could cause a file write failure to the
drive.
Unless that issue is
different from mine, I'm going with 'reboot' on
this one . . .


--
cgosh
------------------------------------------------------------------------
cgosh's
Profile: http://forums.techarena.in/members/97639.htm
View this thread:
http://forums.techarena.in/antivirus-software/1095733.htm

http://forums.techarena.in


Re: Win32/Agent.ONB Trojan virus built into an mp3 player rom

On Tuesday, December 30, 2008 10:25:02 PM UTC-5, GJ wrote:
Quoted text here. Click to load it

I have a RCA Mp3, and a Craig Mp3 and they both do the same thing. I hook i=
t up, and then it tells me that a threat has been detected, and it tells me=
 it's the trojan horse virus. I have done a little bit of research on this,=
 and it tells me that a trojan horse virus, can be put on your computer by =
online games and other online things. It says that the trojan horse virus a=
llows hackers into your computer, and they can hack your system...that's al=
l I know.

Re: Win32/Agent.ONB Trojan virus built into an mp3 player rom


Quoted text here. Click to load it

You are answering a 4 year old post.

Either the infector is a virus or a trojan but there is no such thing as a
"trojan horse virus" albeit a trojan can be infected by a virus such as a
CyberGate RAT being infected with Parite or Sality.

--
Dave
Multi-AV Scanning Tool - http://multi-av.thespykiller.co.uk
http://www.pctipp.ch/downloads/dl/35905.asp


Re: Win32/Agent.ONB Trojan virus built into an mp3 player rom

Quoted text here. Click to load it

There is no such thing as a Computer,
and The World Is Flat Too........

Re: Win32/Agent.ONB Trojan virus built into an mp3 player rom



Quoted text here. Click to load it

In your mind I presume you to believe both are true.

--
Dave
Multi-AV Scanning Tool - http://multi-av.thespykiller.co.uk
http://www.pctipp.ch/downloads/dl/35905.asp

Site Timeline