TomTom has followed in the less than illustrious footsteps of iRiver, no name USB sticks, McDonalds, Apple and others by shipping a device containing malware. In most previous cases the malware in question was a virus which spread to drives. So I was expecting the same when I got my hands on the files coming from the TomTom GO 910.
Kaspersky Anti-Virus detects these files as Virus.Win32.Perlovga.a and Trojan-Dropper.Win32.Small.apl. Trojan-Dropper.Win32.Small.apl is somewhat of a generic detection – it covers any file which has been created using a specific virus writers’ tool. Trojan-Dropper.Win32. Small.apl functions as an installer for Perlovga.b and…a backdoor! As I haven’t seen any mention of a backdoor in coverage about the incident, I was surprised to come across it.
Even though it is a backdoor with limited functionality, the very presence of Backdoor.Win32.Small.lo slightly changes the situation. Perlovga is more of an irritant than a serious threat, but as it makes use of autorun.inf functionality to spread via disks there’s a real danger of Perlovga.a and the Dropper file (which in turn installs the backdoor and Perlovga.b) being executed automatically as soon as Windows reads the drive/device.
This probably won’t be the last case of infected devices, and it would be nice to see a little more clarity regarding the precise payload. I suggest that the next company which finds itself sending out infected devices should contact us and ask us for a detailed analysis so they can issue an appropriate warning to their customers.