10/17/2006, 5:35pm, EDT
Tuesday, October 17th
Windows worm found in video iPods
"It appears this virus propagates to a PC when an iPod containing the virus is double-clicked in Windows Explorer. Technically it's a worm. It does not spread through a network."
The Apple executive said there was an exception in the production line process that is now remedied, adding his belief that Apple now has a process to ensure it doesn't happen again. "It's the first time this has happened to us and we wanted to be very open and up-front about what's happening. We first learned of this a week ago," Joswiak said. "Since then we have been working around the clock on this, discovering the root cause."
Although the worm does not do any damage to data on Windows systems, it can lower the security settings of an infected system, according to Apple, and should be removed from any infected machine. The worm propagates itself through mass storage devices and affects only Windows computers. Apple says up-to-date anti-virus software that comes bundled with most Windows systems should detect and remove the worm.
"As you might imagine, we are upset at Windows for not being more hardy against such viruses, and even more upset with ourselves for not catching it," Joswiak said. The company has published links to trial version downloads of anti-virus applications which are known to detect and destroy the worm, accommodating those Windows users who may not already have anti-virus software installed. Once installed, users are encouraged to attach their iPod to their Windows computer and run the anti-virus software. Users are also instructed to run the "Restore" function in iTunes 7 to restore the software on the affected iPod, according to the report. Additionally, Apple is suggesting users scan all existing external storage devices, including hard drives and digital camera memory cards for the worm.
Filed under: iPod
, 
, 10
, 
, 
, 
, 
, 
Top
subscribe to comments
for this article
But then why disclose the info? jk
heh!
First, Greg, its a worm, not a virus.
Second, what world have you been living in to think that Windows is more virus-resistant then it really is (i.e. not at all)? Maybe you should watch your own commercials touting how Windows are always infected.
Third, what does this say about the state of Apple's Window's software? Do they not concern themselves with viruses and the like, and are therefore prone to be susceptible? Is this just one guy trying to deflect the blame onto MS (hell, you might as well also blame A-Rod for the troubles!).
Although, on the plus side (I guess), it appears that this worm infects external media, and is not an iPod virus per se. Although it would be better if Apple had machines that weren't infected.
In reference to the infected RavMonE.exe file, which in actuality is a Trojan horse, he uses the word "propagates" to help justify the malware as being a worm. Unfortunately, he further contradicts himself that "it does not spread through a network." I have news for Greg: The reason the RavMonE.exe file does not spread through a network is that it is not a worm. The RavMonE.exe file is indeed a Trojan horse.
RavMonE.exe is a file that originated from RAV Antivirus software. So, the Troj/Bdoor-DIJ Trojan masquerades itself as "RavMonE.exe" in an attempt to fool the user that it is part of the RAV AV software. The Trojan lies dormant on the infected iPod, and is activated once connected to a Windows PC. It traverses no network at this point.
The infected PC will act as a proxy server, contacting a remote site to report the infection and the availability of the proxy. This is also classic Trojan behavior. Furthermore, the infected PC will not infect other Windows PCs on the network or anywhere else on the Internet. If it did, then it could be classified as a worm.
Links: Troj/Bdoor-DIJ Trojan Summary on Sophos.com Define Propagation Google Search Worm defined on Viruslist.com Trojan horse defined by Webopedia Trojan horse defined by Wikipedia Trojan defined by Viruslist.com
To elaborate, the infected PC will not infect others simply being on a network or connected to the Internet because the malware will not traverse the network at all. It will basically serve as a "beacon" to the following URLs:
http://natrocket.kmip.net:5288/ret[REMOVED] http://natrocket.kmip.net:5288/ies[REMOVED] http://natrocket.9966.org:5288/ies[REMOVED] http://scipaper.kmip.net:80/ies[REMOVED]
Its only possible means of "spreading" is via an external drive. Antivirus companies make no note that it will spread itself via a network connection.
Now, upon further research, I see that it may indeed copy itself to a mapped drive (aka network share). This is the only reason others may be able to classify the malware as a worm. However, I have also noticed that every site that calls it a worm, uses the word, "may" indicating to me that it is only a possible occurrence.