IBM is apologizing for handing out USB drives at a security conference in Australia this week that had malware on them.
The thumb drives were distributed for free to people who walked up to the IBM booth at the AusCERT conference.
"Unfortunately we have discovered that some of these USB keys contained malware and we suspect that all USB keys may be affected," Glenn Wightwick, chief technologist at IBM Australia, wrote in a letter to AusCERT delegates that was reprinted on the Beast or Buddha blog.
"The malware is detected by the majority of current Anti Virus products [as at 20/05/2010] and been known since 2008," the letter said. "The malware is known by a number of names and is contained in the setup.exe and autorun.ini files. It is spread when the infected USB device is inserted into a Microsoft Windows workstation or server whereby the setup.exe and autorun.ini files run automatically."
The letter goes on to provide steps for removing the malware: turn off system restore, update antivirus software, do a scan using a second antivirus product, and back up all vital files on the system before re-installing the operating system "as a precautionary measure."
"This isn't the first time IBM has had such an issue," Randy Abrams, director of technical education at security firm ESET, wrote in a blog post on Friday. "Back in 2002 IBM had a USB drive that had a rare boot sector virus on it."
And it's not a first for the AusCERT conference, either. Two years ago malware was found on USB drives handed out by Telstra at the show.
To be fair, it can happen to anyone. HP shipped out USB drives in 2008 that had a worm.
The message here: disable AutoRun in Windows or be wary of USB, particularly freebies, or both.