Sounds similar to these kinds of fake Windows anti-virus scans which you see around the place, and try to convince you to click and download an executable which will supposedly clean up your PC:

This type of thing reinforces the fact that no browser/platform is safe from malware, and that it’s important not to regularly run your account with Admin privileges on your PC.

Personally I reckon it wouldn’t hurt to have a setting in Windows (and other operating systems) that prevents running executables from any directory where the current (non-Admin user) has write-permissions, eg only letting them run programs that have been installed by an Administrator.

Does any OS offer something like that at the moment?

Turns out Big W (FujiFilm) kiosks have been spreading viruses, and Fuji is now investigating equipping them with malware protection. Not before time.

This rung a bell for me. I’m sure a month or two ago after I got some photos, I found the drive I’d used had a suspicious autorun.inf file on it that I could’t figure out the origin of.

As Graham Cluley comments, it might be best to use a USB drive with a read-only switch.

Simply browsing a USB drive, Windows file share or WebDav directory can potentially infect you via a rootkit inside a .lnk file. All current versions of Windows said to be vulnerable.

Microsoft advisory: Vulnerability in Windows Shell Could Allow Remote Code Execution — no fix yet, but they do list a workaround.

Sophos’s Chester Wisniewski’s blog: Windows zero-day attack works on all Windows systems — Chester notes a good workaround:

Today, a colleague suggested the best mitigation I have heard so far: deploying a GPO disallowing the use of executable files that are not on the C: drive. This will work for most environments, and you really shouldn’t be running executables from USB drives and network shares anyway. We tested this solution against the vulnerability and it does in fact provide protection.

…which would be nice, but I’m buggered if I can find it in gpedit.msc.

From the looks of it, most of the big anti-virus vendors are onto it, and will detect it as long as your definition files are up to date.

As Ed Bott remarked: I’m not sure any virus writer has ever developed a piece of malware that shut down as many machines as quickly as McAfee did today.

In Australia, one high-profile company hit was Coles, with around 10% of registers knocked out of action causing a number of their supermarkets to have to stop trading while they fixed it.

Yes, Coles runs on Windows.

About 12 years ago Coles ran a project (which I worked on for a short time) to move off NCR cash registers in favour of Windows-based POS systems (then on NT4) developed in-house for the company, with the initial rollout being in Coles. The plan was to subsequently roll it out across other then-subsidiaries such as Target, K-Mart, Myer and so on.

They did a fair bit of interesting workflow analysis, for instance coming up with the Windows Start Menu-style interaction for the cashier to select which fruit/veg they were putting on the scales. It was all designed to cut training requirements and transaction times, and improve backoffice operations, as well as freeing them from dependence on NCR, which at the time had told them support was ending for the registers they’d been using.

Obviously Thursday’s problems showed a down side of the plan!

Perhaps the lesson here is that if your Windows PCs are secure (you wouldn’t imagine they’d allow people to slip in a disc or USB stick and run any old program on them) and fundamental to your company operation, you shouldn’t allow any automated updates onto them (not McAfee, Microsoft, nor anything else) without verifying that it works okay first.

My router has DD-WRT on it. The DD-WRT web site has an article saying they believe they are not vulnerable, unless WAN management has been enabled.

It’s probably worth checking with your router or firmware provider to see if you’re vulnerable, and/or steps to check and secure your equipment.

APCmag: New worm can infect home modem/routers

ZDNet: ‘Psyb0t’ worm infects Linksys, Netgear home routers, modems

DRONEBL: Network Bluepill – stealth router-based botnet has been DDoSing dronebl for the last couple of weeks — which clarifies the conditions under which the infection can spread.