Possible trojan?

Hey guys,

I noticed recently that 2 of my USB keys were exhibiting some strange behavior. When I plug them into my laptop (running Fedora) I get a message that pops up telling me that there is a something that is trying to run itself and asks if I want to continue or to cancel. Naturally I select "No" because I have no idea what it is.

Upon investigating my USB keys I find that there have been 2 hidden files placed on each one:

On first USB key:

auto.inf
this file contained the following string:

If was then followed with an additional file which was an executable called:
owlxck.exe


On the second USB key:

auto.inf
his file contained the following string:

It was then followed with an additional file which was an executable called:
ofalir.exe


Luckily I have only been plugging this USB into two machines. One being a VM of Windows 7 running on my laptop inside of Fedora 10. My anti-virus program on my Windows 7 machine has picked up an auto.inf file under the 'C:\\Windows\\system32'
which I had it delete.

I have been trying to find reference to these auto.inf's and the strings contained within them as well as the .exe's. However I haven't been able to turn up anything that indicates if they really are a threat or not. My instinct tells me that there is something fishy about them though.
I was wondering if anyone has seen this type of behavior before?
Any ideas on what I can do to squash the bug that I have that caused this problem?
Or am I just overreacting?

Thank you in advance


Cheers

Todd

dammit it is the conficker virus? I had a funny feeling that is what it was. I wasn't 100% sure though because usually an anti-virus program will flag it as that. That is bogus!! It is such a pain in the ass to get rid of to!

I don't know where I would have picked it up though. I might have plugged it into a computer at school .

Will format though thank you for the advice.


Cheers

Thank you for the suggestion. I was at school today and it was actually confirmed that the schools network has been infected with the confickr virus....again. It has apparently been infected for the last few weeks. I guess I was unlucky and got hit with it.


Thats pretty cool, I didn't know that existed. I will check it out thank!


Cheers

Haha yeah I have thought of this indeed - and actually it did sort of turn out to be an easy fix!

Definitely you are right about this, it appears as though I did pick something nasty up - although i am still unsure of where I got it from or now it managed to jump to my virtual machine...


I figured out what it was though - at least I think. I was getting frustrated with my USB drives constantly getting those stupid auto.inf's and exe's so I decided to run a few scans of my virtual machine WITH my USB key's plugged in. I ran several conficker removal tools, however they did not find anything. I didn't stop there though. I decided that I would try Malwarebytes as this program has saved my life a few times in the past.

**NOTE**: my windows VM was also experiencing additional weird behavior - explorer.exe was no longer running at startup.

I ran malwarebytes against my VM. It took almost 2 hours to complete haha... but when it was finished it did indeed find the nasties that were causing my problem. It turned out to be a trogan buried deep within my system. It was actually impersonating the crss.exe executable in windows, however it was running under a slightly modified name to make it appear legit - sneaky bastard! After running malwarebytes and cleaning it out I haven't had anymore nasties on my USB keys... love you malwarebytes.


Cheers


p.s. thank you to everyone that responded... cheers