Adventures at altitude

The setting is Tamel, the centre of Katmandu, the capital of Nepal. There are hundreds of little shops which sell everything, ranging from Buddha statuettes to full rigs for Himalayan expeditions. I’m off into the mountains myself, so I buy a Compact Flash card for my camera in one of the shops which specialises in photographic equipment.

After three weeks of adventures at high altitude I return to Moscow and get ready to copy the photos from the memory card to my computer using a flash reader. And the first thing that I notice are two hidden files in the card’s root directory: they’re called autorun.inf and VirusRemoval.vbs.

We’ve already written more than once about viruses and worms which spread via removable storage media by launching automatically from autorun.inf. A number of users have also come across this type of malicious program. There are also a number of cases where hard disks, flash drives, MP3 players and other devices were already infected with malware when shipped by the manufacturers.

In this case, the Kingston card turned out to be infected with Worm.VBS.Small.n, a malicious program which was added to Kaspersky Lab antivirus databases on 14th November, 2 days after I bought the infected flash card in Nepal.

A detailed analysis of the worm’s code shows its Nepalese origins; as part of its payload, the worm changes the Internet Explorer home page to “” – .np, of course, being the Nepal domain.

It seems unlikely that Kingston itself had anything to do with this incident. The worm probably ended up on the card once it was already in Nepal – possibly in the very same shop where I got it.

Or it could be that the card itself is counterfeit, and that it was produced in some underground factory in Nepal. So we’ve decided to publish the data shown on the card in the hope that it may help trace where it came from.

I didn’t encounter the Abominable Snowman in the Himalayas, but I did manage to bring a ‘Nepalese worm’ home with me. I think it’s a fitting entry for the Guinness Book of Records – Worm.VBS.Small.n surely qualifies for the ‘Computer Virus to Reach the Highest Altitude’ category. After all, it made it up as far as 6198 metres together with me and my camera.

Adventures at altitude

Your email address will not be published. Required fields are marked *



Ferocious Kitten: 6 years of covert surveillance in Iran

Ferocious Kitten is an APT group that has been targeting Persian-speaking individuals in Iran. Some of the TTPs used by this threat actor are reminiscent of other groups, such as Domestic Kitten and Rampant Kitten. In this report we aim to provide more details on these findings.

Andariel evolves to target South Korea with ransomware

In April 2021, we observed a suspicious Word document with a Korean file name and decoy. It revealed a novel infection scheme and an unfamiliar payload. After a deep analysis, we came to a conclusion: the Andariel group was behind these attacks.

Operation TunnelSnake

A newly discovered rootkit that we dub ‘Moriya’ is used by an unknown actor to deploy passive backdoors on public facing servers, facilitating the creation of a covert C&C communication channel through which they can be silently controlled. The victims are located in Africa, South and South-East Asia.

Subscribe to our weekly e-mails

The hottest research right in your inbox