Should USB token data be copied to a hidden directory called 'IEDW?'
Whenever I insert my pen drive in a USB port to take a printout of a required document, I find that the entire contents of the pen drive have been copied to a hidden directory named "IEDW" located in winddowssystem32 directory. This is the same case as when I use a CD-ROM drive on my PC. Is this an indication of spyware?
It's unclear if this is spyware
, but it is certainly a cause for concern. There are reports of a Trojan horse backdoor
that uses a directory with this name. There is no mention, however, of it copying the stuff from a USB token or CD. The name iedw usually refers to an element of Internet Explorer. But in a normal Windows system, there should be a file
called iedw.exe, not a folder. While there is a history of some malware calling itself iedw.exe, I have seen nothing that uses this as a directory name.
Thus, I urge you to be extra cautious. Run a thorough antispyware and antivirus scan of your machine and the USB token itself, preferably using two antispyware tools. Then, if everything still comes up clean, try using the USB token on another computer and see if the same thing happens. If it doesn't, I recommend a reinstall of Windows on the first computer.
More information:Are USB drives a serious enterprise risk? Expert Michael Cobb sets the record straight.
Read a chapter on database Trojans.
This was first published in April 2007