Dear AusCERT Delegate

At the AusCERT conference this week, you may have collected a complimentary USB key from the IBM booth.   Unfortunately we have discovered that some of these USB keys contained malware and we suspect that all USB keys may be affected.

The malware is detected by the majority of current Anti Virus products [as at 20/05/2010] and been known since 2008.

The malware is known by a number of names and is contained in the setup.exe and autorun.ini files.  It is spread when the infected USB device is inserted into a Microsoft Windows workstation or server whereby the setup.exe and autorun.ini files run automatically.

Please do not use the USB key, and we ask that you return it to IBM at Reply Paid 120, PO Box 400, West Pennant Hills 2120.

If you have inserted the USB device into your Microsoft Windows machine, we suggest that you contact your IT administrator for assessment, remediation and removal, or you may want to take the precaution of performing the steps below.

Steps to remove the malware:

1. Turn off System Restore
[StartProgramsAccessoriesSystem toolsSystem Restore]
Turning off System Restore will enable your anti virus software to clean the virus from both your current system and any restore points that may have become infected.

2. Update your antivirus tool with the latest antivirus definitions
[available from your anti virus vendor of choice].

3. Perform a full system scan with your AV tool to confirm the existence of the infection.  If malware is detected allow your AV to complete a clean.

4. On completion of this process, complete a second scan using a different anti virus product. Free anti virus products are available from known companies such as AVG, Avira, Panda Software, or Trend Micro.

5. Once a second scan has been performed and it is determined that your workstation is free of any known malware,  as a precautionary measure we recommended that you perform a back up of all vital files on your workstation and perform a full re-installation of the operating system.  This process will remove the risk of other unknown or undetected malware that may be present on your machine.

If you experience difficulties with the above steps, please contact the IBM Security Operations Team at  An IBM technical support person will contact you by phone to assist you.

We regret any inconvenience that may have been caused.

Glenn Wightwick
Chief Technologist
IBM Australia
Securus Global: IT Security, Penetration Testing, Security Assessments, PCI Compliance, Product Assurance, QualysGuard, Security Strategy, Vulnerability Assessment.

  1. [...] This post was mentioned on Twitter by Drazen Drazic and David | Cleartext, Christian Frichot. Christian Frichot said: RT @DDrazic: IBM letter to #AusCERT delegates regarding malware giveaway. [...]

  2. [...] Read this article: Beast Or Buddha » Blog Archive » IBM Letter to AusCERT delegates … [...]

  3. Drazen Drazic says:

    A search on Google for “IBM Quality Assurance” brings up a plethora of results. IBM’s commitment to QA is prominent marketing for them but how do you trust this is nothing more than marketing spiel? You cannot when the basics are a total fail.

    Surely even within IBM they can’t be saying; “Ah, they’ll forget it…”

    We continue to forgive large security vendor for “mistakes” but small guys who make one mistake always know their business is on the line. Not really fair is it.

    IBM is not alone here but I see this will be another major stuff up that will be quickly forgotten.

    If you’re a decision maker in a company, you know you can’t trust the marketing BS for QA. Make your penalty clauses huge and stick to your guns when dealing with anyone!

    “It could happen to anyone?”…..not if they actually gave a rats to detail!


  4. Jay says:

    Rumor has it that the USB keys were acquired from the same factory Telstra did … in China.

  5. 2IBM says:

    Perform steps 2-4 next time yourself.

  6. lamm says:

    What an embarrassment.

    Such security headaches are easily avoided by using a free GNU/Linux distribution.

  7. [...] Here is the full text of the letter from IBM Chief Technologist Glenn Wightwick (via Drazen Drazic): [...]

  8. [...] Here’s the full email from IBM, as relayed by blogger Drazen Drazic. [...]

  9. Drazen Drazic says:

    Shows the power of Twitter for this link to go global overnight from:

  10. Ezekial says:

    I am curious as why it took til Friday night, 2 days after the main conference is over to get the message out! I have seen the Sophos note confirming that there was bad stuff on the stick but I have not seen any reports of punters who caught something from a contaminated stick.

  11. [...] Weblog Beast Or Buddha Passende Links: Sophos Endpoint Security and Control Teilen Sie diesen Artikel mit Ihren [...]

  12. Xd says:

    Time for the cert to analyse stuff they give out. Unforgivable.

  13. ConspiracyT says:

    Coincidental given your previous post

    Alot of people out there talking about this.

  14. [...] sre?u, u IBM-u su propust primijetili na vrijeme te su svima poslali upozorenje s preporukom da ne koriste sporne flash memorije te proceduru za uklanjanje ra?unalne napasti koja [...]

  15. The Knuckle says:

    I feel as though I missed out. I didn’t get an IBM memory stick with free malware, all I got was a free Ironkey(tm) !

    “Ironkey: Encrypting your valuable retro porn since 2001.”

    (Written, spoken & unauthorised by The Knuckle.)

  16. Xd says:

    Ripped off Knuckle.

  17. D2 says:

    Runs and hides.

  18. Drazen Drazic says:

    @The Knuckle,

    You should disclose you won the Ironkey in a best tweet competition. BTW, what was the winning entry? I know you sent a few but which one got it for you?


  19. [...] and hiding in the setup.exe file and autorun.ini make all the rounds since 2008, we read in the mail. IBM recommends to perform a virus [...]

  20. tom mullen says:

    Scanning digital content with multiple AVs should become a standard release management practice — whether the content being released is free or for sale. No single anti-virus can be perfect 100% of the time.

  21. [...] The unlovely gift was supplied to an unknown number of delegates to the Gold Coast, Queensland conference who visited IBM’s booth. Big Blue does not identify the strain of malware involved in the attack beyond saying it’s a type of virus widely detected for at least two years which takes advantage of Windows autorun to spread, as a copy of IBM’s email apology published by the Beast Or Buddha blog explains. [...]

  22. [...] final, IBM tuvo que emitir un comunicado para de cierta forma disculparse y explicar cómo eliminar a este inusual huésped. Ahorrémonos el [...]