Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Response

Would you like a virus with that?

Created: 17 Oct 2006 07:00:00 GMT • Updated: 23 Jan 2014 18:56:02 GMT
Orla Cox's picture
0 0 Votes
Login to vote

McDonalds' customers in Japan recently found themselves exposed to a worm infection when MP3 players, offered as a prize in a drink promotion, were found to contain a worm called W32.Pasobir. This isn't the first time we've seen hardware devices and media accidentally shipped with malware. One of the more famous incidents occurred back in 1998, when the W95.Marburg virus was accidentally shipped on some game CDs, including CDs offered free with gaming magazines. More recently (again, in Japan) hard drive manufacturer I-O Data accidentally shipped a number of hard disks containing a back door Trojan horse. In most circumstances the malware itself is old, in which case any up-to-date antivirus program should prevent infection. This demonstrates the need for manufacturers to ensure that any computers in their production environments have up to date antivirus products installed.

In the McDonalds' case, an autorun "feature" of the worm meant that it would run automatically as soon as the MP3 player was connected to the user's computer. W32.Pasobir creates an autorun.inf file that contains instructions for automatically launching the worm—a rather unfortunate feature for a worm included on a USB device. Also, the worm has the ability to copy itself to removable drives, which gives some indication as to how it got onto the MP3 players in the first place.

McDonalds is replacing any infected MP3 players. Further information is available here (in Japanese). Symantec antivirus definitions dated on September 25 or later will protect against this worm.

Update (10/18/06): We now have a fix tool available to remove infections of W32.Pasobir. You can download it here.