My question: are WinMo6 handsets susceptible to autorun.inf shenanigans?
Reason I ask is a Hong Kong cell phone accessories vendor just shipped me
a MiniSD card (for use in my Motorola Q9m) that turns out (once I stuck it
into the Q9m and looked at it with File Manager) to contain two files:
What autorun.inf aims for, of course, is: " open = mp3.exe ".
Looks awfully suspicious. Do WinMo6 phones like the Moto Q9m respond to
such autorun.inf directives? Will just navigating to that mem card
trigger that? How gunched might that Moto Q now be in consequence?
I did have the Moto Q powered off when I inserted the card; powered it
on again once the card was in and locked in. Changed ".inf" to ".txt"
so as to read the autorun file's contents. Have no way, currently, to
ship MP3.EXE off to VirusTotal, or the like, as I have no MiniSD card
reader other than the Q handset itself, at the moment.
Thanks for any useful advice/comments/suggestions. And cheers, -- tlvp
--
Avant de repondre, jeter la poubelle, SVP.
At 20 Dec 2011 01:50:58 -0500 tlvp wrote:
> My question: are WinMo6 handsets susceptible to autorun.inf shenanigans?
>
> Reason I ask is a Hong Kong cell phone accessories vendor just shipped
me
> a MiniSD card (for use in my Motorola Q9m) that turns out (once I stuck
it
> into the Q9m and looked at it with File Manager) to contain two files:
>
> MP3.EXE (circa 90 Kbytes, dated 5/17/2005), and
> autorun.inf (circa 58 bytes, dated 11/18/2011).
>
> What autorun.inf aims for, of course, is: " open = mp3.exe ".
>
> Looks awfully suspicious. Do WinMo6 phones like the Moto Q9m respond to
> such autorun.inf directives? Will just navigating to that mem card
> trigger that? How gunched might that Moto Q now be in consequence?
>
> I did have the Moto Q powered off when I inserted the card; powered it
> on again once the card was in and locked in. Changed ".inf" to ".txt"
> so as to read the autorun file's contents. Have no way, currently, to
> ship MP3.EXE off to VirusTotal, or the like, as I have no MiniSD card
> reader other than the Q handset itself, at the moment.
>
> Thanks for any useful advice/comments/suggestions. And cheers, -- tlvp
It's probably a virus, but not necessarily the vendor's fault. I bought
a Hasbro (yes, the toy company) MP3 player (a real MP3 player marketed
for kids) that had obviously been opened previously, off the clearance
shelf at Walmart a few years ago that set off my anti-virus software when
I first plugged it in to my PC. The device had apparently been returned
by a customer with an infected PC. My AV software removed it and no harm
done.
Even if the card has a virus, it would have to have been specifically
written to infect Windows Mobile, rather than Windows, to affect your
device. While there are two or three actual WinMo viruses reportedly in
existance, your odds are pretty good the card is simply a return from a
customer with an infected PC. Delete the files and don't worry about it.
In any case, there's no way on God's Green Earth anything happened to
your Q. Windows Mobile doesn't know what to do with an "autorun.inf" file.
WinMo will automatically run a file named "autorun.exe" from a storage
card if present, however, which is further evidence that whatever is on
that card was made for a PC to run, not a phone or PDA.
On Tue, 20 Dec 2011 02:08:14 -0700, Todd Allcock wrote:
>>
>> Thanks for any useful advice/comments/suggestions. And cheers, -- tlvp
>
>
> It's probably a virus, but not necessarily the vendor's fault. I bought
The vendor's only conceivable fault may have been not scanning the card
before selling it. But it was sold as new, and probably reached the vendor
as one of a shipment of many in a large lot from either the manufacturer
or a grossist-stocker, and (as a low-cost item -- well under $10) just
didn't merit individual testing. Of course, it *may* also ...
> a Hasbro (yes, the toy company) MP3 player (a real MP3 player marketed
> for kids) that had obviously been opened previously, off the clearance
> shelf at Walmart a few years ago that set off my anti-virus software when
> I first plugged it in to my PC. The device had apparently been returned
> by a customer with an infected PC. ...
.... have been a return, of course ... .
> Even if the card has a virus, it would have to have been specifically
> written to infect Windows Mobile, rather than Windows, to affect your
> device. While there are two or three actual WinMo viruses reportedly in
> existance, your odds are pretty good the card is simply a return from a
> customer with an infected PC. Delete the files and don't worry about it.
No need to use the WinMo file manager's Format Card function?
> In any case, there's no way on God's Green Earth anything happened to
> your Q. Windows Mobile doesn't know what to do with an "autorun.inf" file.
Ah! How sweet that is to hear :-) !
> WinMo will automatically run a file named "autorun.exe" from a storage
> card if present, however, which is further evidence that whatever is on
> that card was made for a PC to run, not a phone or PDA.
And that autorun was most definitely an .inf, not an .exe. What's more,
the way its content got displayed by the notepad-like text editor after
I changed the suffix from .inf to .txt makes me think it was in a multibyte
Unicode format that the phone might not even clearly understand: roughly
ÿþ [ a u t o ... sump'n or other ... ]
o p e n = m p 3 . e x e
here that opening ÿþ reminds me of the two byte opener to a multibyte
Unicode file, and the bizarre spaces between alternate characters help
confirm my impression that it's a matter of a multibyte character set here.
[In fact, ÿþ *is* just that standard Unicode-invocatory U+FE U+FF string.]
Fortunately, as the only equipment I have capable of coping with MiniSD
at present *is* that Moto Q (the MiniSD to SD carrier device that *should*
have been part of the package is coming separately, later, through an
oversight in my vendor's shipping room), I've had no opportunity either
to cause harm elsewhere ( :-) ) or to virus-test that MP3.EXE file ( :-{ ).
Thanks for chiming in so reassuringly, Todd. Season's Best, and
Cheers, -- tlvp
--
Avant de repondre, jeter la poubelle, SVP.
> The vendor's only conceivable fault may have been not scanning the card
> before selling it. But it was sold as new, and probably reached the
vendor
> as one of a shipment of many in a large lot from either the manufacturer
> or a grossist-stocker, and (as a low-cost item -- well under $10) just
> didn't merit individual testing.
True...
> Of course, it *may* also have been a return, of course ... .
It probably wouldn't be the first time a vendor sold a return as "new"...
Perhaps it's even the vendor's computer that has the virus, applied when
he formatted the card back to "new".
> No need to use the WinMo file manager's Format Card function?
Sure, go ahead if you like. Many WinMo devices don't have that option,
and since yout said you didn't have a reader for the PC, I assumed
formatting wasn't an option, and figured you'd want to play with it
sooner rather than later.
> Fortunately, as the only equipment I have capable of coping with MiniSD
> at present *is* that Moto Q (the MiniSD to SD carrier device that
*should*
> have been part of the package is coming separately, later, through an
> oversight in my vendor's shipping room), I've had no opportunity either
> to cause harm elsewhere ( :-) ) or to virus-test that MP3.EXE file ( :-
{ ).
You could always keep the .exe ob the card for testing later to satisfy
our curiosity, but I'd delete the autorun.inf to be safe. A WinMo device
can't run an exe designed for for Windows PCs anyway. Different OS,
different CPU type (ARM instead of x86) so even if tou try to run it on
the Q, you'll just get a "MP3.EXE is not a valid Smartphone Application"
popup error message.
> Thanks for chiming in so reassuringly, Todd. Season's Best, and
>
> Cheers, -- tlvp
My pleasure. Don't hesitate to fire those WinMo questions my way. If
you want to know about a fossil, who better to ask than a Dinosaur?
On Tue, 20 Dec 2011 17:05:18 -0700, Todd Allcock wrote:
> At 20 Dec 2011 16:28:28 -0500 tlvp wrote:
>
>> The vendor's only conceivable fault may have been not scanning the card
>> before selling it. But it was sold as new, and probably reached the
> vendor
>> as one of a shipment of many in a large lot from either the manufacturer
>> or a grossist-stocker, and (as a low-cost item -- well under $10) just
>> didn't merit individual testing.
>
> True...
>
>
>> Of course, it *may* also have been a return, of course ... .
>
> It probably wouldn't be the first time a vendor sold a return as "new"...
> Perhaps it's even the vendor's computer that has the virus, applied when
> he formatted the card back to "new".
>
>> No need to use the WinMo file manager's Format Card function?
>
> Sure, go ahead if you like. Many WinMo devices don't have that option,
> and since yout said you didn't have a reader for the PC, I assumed
> formatting wasn't an option, and figured you'd want to play with it
> sooner rather than later.
>
>> Fortunately, as the only equipment I have capable of coping with MiniSD
>> at present *is* that Moto Q (the MiniSD to SD carrier device that
> *should*
>> have been part of the package is coming separately, later, through an
>> oversight in my vendor's shipping room), I've had no opportunity either
>> to cause harm elsewhere ( :-) ) or to virus-test that MP3.EXE file ( :-
> { ).
>
> You could always keep the .exe ob the card for testing later to satisfy
> our curiosity, but I'd delete the autorun.inf to be safe. A WinMo device
> can't run an exe designed for for Windows PCs anyway. Different OS,
> different CPU type (ARM instead of x86) so even if tou try to run it on
> the Q, you'll just get a "MP3.EXE is not a valid Smartphone Application"
> popup error message.
>
>> Thanks for chiming in so reassuringly, Todd. Season's Best, and
>>
>> Cheers, -- tlvp
>
>
> My pleasure. Don't hesitate to fire those WinMo questions my way. If
> you want to know about a fossil, who better to ask than a Dinosaur?
>
> Happy Holidays to you and yours!
>
> -Todd
Apologies for not trimming, but ... .
The vendor's response to my inquiry, whether all such cards as they sell
come with such a matched pair of MP3.EXE and autorun.inf files was: No,
they sell their cards empty, probably the phone loaded those files onto
the card when I first inserted the card.
My reaction, to them: thanks for the suggestion, I'll take it into
consideration; but to me: hmm ... a 2005 MP3.EXE file, perhaps, as
the phone could be more or less of that vintage, give or take; but a
November 2011 autorun.inf file? Naah -- 2011 is too late a date for
the phone to have had such a file in it to copy, and *November* 2011 is
too early a date for any file the phone might have *generated* for the
card on the day a few days ago this month (December) that I first
stuck the card into the phone -- so, nice try, but no cigar :-) .
(Covering their @$$es, is my guess.)
I may try to do one of the following using virustotal.com:
1) get the phone to upload the .exe file there,
2) get the phone to email the .exe file there, or
3) use the MiniSD-to-SD device that's coming soon
to let a PC upload the .exe file there,
and see what the verdict is. And/or, once method 3) is available, let
my MSE or MBAM or SAS have a crack at that .exe and see what they think.
Whatever the result(s), I'll post here and let the vendor know as well.
Probably after Xmas, as the MiniSD-to-SD gizmo won't likely be here before.
Cheers, -- tlvp
--
Avant de repondre, jeter la poubelle, SVP.
> My question: are WinMo6 handsets susceptible to autorun.inf shenanigans?
>
> Reason I ask is a Hong Kong cell phone accessories vendor just shipped me
> a MiniSD card (for use in my Motorola Q9m) that turns out (once I stuck it
> into the Q9m and looked at it with File Manager) to contain two files:
>
> MP3.EXE (circa 90 Kbytes, dated 5/17/2005), and
> autorun.inf (circa 58 bytes, dated 11/18/2011).
>
> What autorun.inf aims for, of course, is: " open = mp3.exe ".
>
> Looks awfully suspicious. Do WinMo6 phones like the Moto Q9m respond to
> such autorun.inf directives? Will just navigating to that mem card
> trigger that? How gunched might that Moto Q now be in consequence?
>
> I did have the Moto Q powered off when I inserted the card; powered it
> on again once the card was in and locked in. Changed ".inf" to ".txt"
> so as to read the autorun file's contents. Have no way, currently, to
> ship MP3.EXE off to VirusTotal, or the like, as I have no MiniSD card
> reader other than the Q handset itself, at the moment.
>
> Thanks for any useful advice/comments/suggestions. And cheers, -- tlvp
First follow-up: the vendor, intending to ship me the MiniSD-to-SD adapter
card that they inadvertently omitted from my original order-shipment, sent
along a fresh 4GB MiniSD card instead -- packing-room error -- which, once
inserted into the Moto Q9m, showed *no* files on it at all (as I'd have
expected), indicating that whatever that *first* card had on it was *not*
put there by getting inserted into that handset :-) (but we all knew that).
Future follow-up, once the MiniSD-to-SD adapter card (that they again have
promised faithfully to send along) actually gets here, so I can ship the
original pair of suspicious files off to VirusTotal from my PC. Stay tuned.
Cheers, -- tlvp
--
Avant de repondre, jeter la poubelle, SVP.
> ... Hong Kong cell phone accessories vendor just shipped me
> a MiniSD card (for use in my Motorola Q9m) that turns out (once I stuck it
> into the Q9m and looked at it with File Manager) to contain two files:
>
> MP3.EXE (circa 90 Kbytes, dated 5/17/2005), and
> autorun.inf (circa 58 bytes, dated 11/18/2011).
>
> What autorun.inf aims for, of course, is: " open = mp3.exe ".
>
> Looks awfully suspicious.
And suspicious it was. Today's mail finally brought me a MiniSD-to-SD
adapter tray, into which I loaded that MiniSD card (with its autorun.inf
renamed to autorun.inf.TXT to defang it) and then (Shift key firmly
depressed all the while) loaded the SD tray into its slot, right-clicked it
in "My Computer", and ran MSE. The story: <<Sirens!>>
| Category: Virus: Win32/Virut.F
| Description: This program is dangerous and replicates by infecting other files.
| Recommended action: Remove this software immediately.
| Items: file: F:\mp3.exe
Naturally, I let MSE quarantine and remove that threat.
> Do WinMo6 phones like the Moto Q9m respond to
> such autorun.inf directives?
Evidently not, as Todd A. surmised :-) . So: "all's well that ends well."
Cheers, -- tlvp
--
Avant de repondre, jeter la poubelle, SVP.
Autorun.inf and WinMo6 phones 
Linear Mode
