Win32/Agent.ONB Trojan virus built into an mp3 player rom

My nephew was given a no-name mp3 player, which looks like a USB drive, for
Christmas.

When the MP3 Player is plugged into a USB port on our computer, it is
identified by Windows XP home as two devices :

1) AMT_CDROM , a read only drive

2) MP3_PLAY, a drive which contains mp3 files to be played by the
player.

The AMT_CDROM drive contains some files which try to run as soon as the
player is plugged in using the Windows AUTORUN function. These files are in
a chip on the player and cannot be deleted.

These files are
autorun.inf
AMT.sn
start.exe

The result of this is that Windows tries to run the file "start.exe", and as
soon as this happens it is flagged by the anti-virus software (NODS32) as
containing the Win32/Agent.ONB Trojan virus

There are some references to this virus on the web, but nothing very useful
which I have found so far - the following has been translated from Italian
on a forum and relates a similar experience.

"Hello everyone I have a question to be asked: I bought an mp3 player
similar to your shuffle from china 2 gi
The problem is that if I connect off with usb cable to PC then turn fits ...
you see, it works and everything is ok ...
But if the spengo and then riaccendo tells me "device not recognized" and
then at the end asks me to reboot the PC.
But the main problem is that my view on the PC in addition to "removable
disk" also similar to a disc player that if I clicked on from the antivirus
(nod 32) recognize a file start.exe. "
"G: \ AMT.sn 'cabinet' BackupTool.exe - probably a variant of
Win32/PSW.Agent horse tr ** a"
the presence of a file infested by trojan.
The result is this: "G: \ start.exe - Win32/Agent.ONB horse tr ** a - error
while deleting - file is locked - error while deleting - file is locked -
error while deleting - file is blocked. "
of course I can not remove in any way .... this disc (AMT_CDROM) despite the
low level formatting does not delete them ... but still active ... I do is
safe to use? You can delete? "

I can't find any details on what the virus does, if it really exists, does.

Has anyone come across this before ? If there is a virus present, it seems
to be encoded into the rom chip on the mp3 player during it's manufacture.

I can't imagine the presence of the virus pattern is a coincidence because
the function of the start.exe must be fairly simple in this use .

Look forward to hearing of any similar incidents or anything else about this
one you can tell me.

Thanks

It is an AutoRun worm. If Eset doesn't provide technical information on what this AutoRun
worm does, you'll have to provide the EXE file to Virus Total to see who else recognizes
this threat and see if they have technical information on what this AutoRun does.

Please submit a sample to Virus Total --
The submission will then be tested against many different AV vendor's scanners.
That will give you an idea what it is and who recognizes it. In addition Virus
Total will provide the sample to all participating vendors.

You can also submit a suspect, one at a time, via the following email URL...
mailto:scan@virustotal.com?subject=SCAN

When you get the report, please post back the exact results.

Same here - just got three of them from an ebay seller. I managed to
repartition and reformat, but still opens a virtual cdrom with said
files...

Will do, but the mp3 player is now in Ballarat - I'll have to wait until my
nephew comes back to Melbourne.

Thanks

this sounds like a variation on the U3 technology that certain usb flash
drives (notably the sandisk cruzer) come with... the technology allows
certain usb devices to bypass normal windows limitations on usb flash
drives (ie. normally usb drives initiate autoplay instead of autorun) by
presenting windows with 2 devices - one of them a CD drive (which by
default initiates autorun rather than autoplay)...

i think you may find that it is possible to delete these files, or more
accurately it should be possible to overwrite the partition on which
virtual cd drive exists with a new ISO file containing whatever you like...

it will almost certainly require special software specific to the
technology involved but i was able to 'neuter' the U3 installer on the
sandisk cruzer i bought earlier this year using just such a method...
unfortunately i don't know the name of the technology that would give
you the AMT_CDROM drive - a U3 disk would show U3 as the name of the cd
drive...

You might consider a LiveCD of gparted,
<http://gparted.sourceforge.net/livecd.php>. It should be possible to delete
the partition in question and then expand the remaining partition to occupy
the entire drive.

I don't think this is the same as the U3 system, which is based on a
software start-up and it's easy to delete the U3 system software files(I've
done this on my 4Gb Sandisk Cruzer). The files involved here seem to be in
a rom in the device and they are ungettable at if you get my drift. The evil
partition seems to be set up by hardware and the files can't be deleted.
GJ

well, i don't know about your cruzer, but mine had files on the 'cd
drive' as well as on the normal usb drive... the ones on the 'cd drive'
were not editable in the normal way either - they were as read-only as
the contents of any CD in fact... but i was able to find software to
write a new ISO to that drive...

oh, and U3 is not purely software-based, the hardware itself has to be
different from a standard usb flash drive in order to report multiple
devices to windows... basically the hardware has to lie to your
computer, which is not a standard practice...

these aren't the same as logical partitions on a single physical
drive... the device reports 2 physical drives, one a removable drive and
one a cd drive...

Yes, that's exactly what the mp3 player did.

Strangely I can't find this Win32/Agent.ONB virus listed anywhere in the
usual virus description libraries so I'm not sure how dangerous it is.

i'm afraid there are far too many pieces of malware out there for them
to all have a description in an online database - and the family name
"agent" specifically is used for so many things that it is of little
help either... did you follow david's suggestion and submit it to
virustotal.com? i've tried running "agent.onb" through vgrep to find
what other scanners might call it but there were not results returned...

what david said is almost certainly true, it's an autorun worm, but any
additional capabilities it might have depends very much on getting a
description for that specific variant...

if the search for a description is fruitless you may have to assume the
worst (ie. stealth, password stealing, etc)...

another thing you *could* try, however, is to contact the company that
makes your scanner and ask if it's a false alarm or not (you'll probably
have to send them a copy of the file)... they should be able to clear up
some of your other questions too...

Your mp3 player looks like this?
If so, try to update firmware/iso with the tool provided in download
section. There are several models in that page. Good luck

[pjdura]

I had the same problem, but with the Trojan.Horse.PSW.Agent.YOM using AVG 8.

And I SOLVED that, configuring my mp3 player to not auto music transfer:

1) Press the Mp3 player configuration button to enter the configuration Menu,

2) then choose the option: Sys
( It is the 5th option to the right: Msc, Rec, Voi, Fm, SYS, txt, tel )

3) Inside Sys configuration menu:, choose: Auto Music Transfer
( it is the 8th option to the righ: Record quality, Backlight time, Color, Power Off, Replay set, Contrast, Languaje, AUTO MUSIC TRANSFER, Memory info, Edition, Default, Exit )

4) Inside Auto Music Transfer: choose No ( close or disabled )

And after that, the next time you plug your mp3 player, you will not see the AMT_CDROM again.

Hope that this would be usefull.

[aimie077]

Hello!
I have the same problem, tried An USB vaccine and what you said, but i simply don't have this 'configuration' on my mp3 here so i couldnt make it through and the plus driver, with the Trojan does not let me open files and send them to the mp3 player,
could you pls help me?

thanx in advance

Hello Aimie:

The problem with "stealing" the thread from GJ is that the focus can
change to you without a proper solution for GJ.

After reading this, please start a thread of your very own stating the
exact circumstances you believe you have this malware presently in your
system. Please include the exact details of your OS and antimalware
application that reported it and the full pathname to the infection.

Please don't leave out the "small" details

[cgosh]

Pjdura's fix worked for me.

It's not a virus, it's a feature that behaves like a virus might (tries to make things happen in your PC). I flipped the switch shown in the 3rd box above this one -- thanks, much pjdura.

Before, I got 2 new drive letters when I connected up. F: had the same 3 files GJ listed, and G: was my music, voice recordings, etc. (and the PDF user manual - pretty slick). Now I only get a G: drive. Disabling the 'system' feature makes my oversize postage-stamp-looking iVO-Sound m220 4G MP3 player ($20 at Micro Center) a simple USB device, not a complicated one.

Before making the switch, I got a popup asking if I wanted WinAmp to control the music on my 'new' CD-ROM drive (Auto Music Transfer never seemed to work, but it did spawn a nasty trojan message) and then a second popup with a Windows Explorer option (and a variety of other choices). Now I just get the second popup. The faux CD is gone, and I only see the jumpdrive partition. I don't care. I don't get any more trojan virus scary popups, either. (FWIW, trojans are a completely different breed of pest, and no product finds even most of them. Nearly all antivirus products catch and try to kill essentially every virus, as long as you let them update every day. Windows Update should be on auto or handled properly.)

The reason I can't find any more info on psw.Agent.YOM is because it's not harmful, it's not really a trojan; it's just an action that's recognized by Avast! antivirus (free version) as hooking into my PC. I'm being alerted to potentially dangerous activity, but I understand that it's harmless. Now it's "gone."

And, frankly, I don't think I follow aimie077's issue at all. I don't understand how this feature could cause a file write failure to the drive.
Unless that issue is different from mine, I'm going with 'reboot' on this one . . .