Infected Christmas Presents from Samsung

People who bought the SPF-85H 8-Inch Digital Photo Frame from Samsung for either personal use, or to give it away as a Christmas present, were unpleasantly surprised to have their anti-virus software complain about a worm in the bundled software. Samsung confirmed the incident and issued an update to the affected application.

Online retailer Amazon has sent warning e-mails to all of its customers that purchased the said devices between October and December 2008. "The alert involves the SPF-85H 8-Inch Digital Photo Frames w/1GB Internal Memory, designed to work with Windows-based PCs via a USB connector," the e-mail reads, and regards the "discovery of the W32.Sality.AE worm on the installation disc SAMSUNG FRAME MANAGER XP VERSION 1.08, which is needed for using the SPF-85H as a USB monitor."

Samsung published an article on its website earlier this month, through which it acknowledged the existence of the problem and provided instructions for fixing it. The advisory points out that only the Windows XP version of the Frame Manager application is infected, and that Windows Vista users should not be affected by this incident.

According to the provided instructions, the users who have reason to believe that they have fallen victims to this worm by installing the Samsung software are advised to use updated anti-virus software in order to isolate the malware and then proceed to uninstalling the 1.08 version of the application, via the Add/Remove Programs applet.

The company offers the patched and clean 1.082 version of the product for download, as a replacement for Windows XP users. Installing the new release requires a system reboot, as noted in the instructions. However, what Samsung forgets to mention is that Sality might not be so simple to remove if it installs successfully.

The worm has a payload that attempts to mess with the functionality of many security products by stopping their services, deleting some of their vital files, and blocking access to their websites. In addition, it is able to receive instructions or download and install other malware from remote servers.

"It’s great that Amazon.com is warning purchasers of the danger, but wouldn’t it have been better if the affected devices had been taken off the market?," Graham Cluley, senior technology consultant for anti-virus vendor Sophos, asks rhetorically. Joel Ester coincidentally answers this question through an article, posted on the SANS Internet Storm Center website, the title of which reads "Hey, at least they are telling you!"