Ask the Expert

Should USB token data be copied to a hidden directory called 'IEDW?'

Whenever I insert my pen drive in a USB port to take a printout of a required document, I find that the entire contents of the pen drive have been copied to a hidden directory named "IEDW" located in winddowssystem32 directory. This is the same case as when I use a CD-ROM drive on my PC. Is this an indication of spyware?

    Requires Free Membership to View

It's unclear if this is spyware, but it is certainly a cause for concern. There are reports of a Trojan horse backdoor that uses a directory with this name. There is no mention, however, of it copying the stuff from a USB token or CD. The name iedw usually refers to an element of Internet Explorer. But in a normal Windows system, there should be a file called iedw.exe, not a folder. While there is a history of some malware calling itself iedw.exe, I have seen nothing that uses this as a directory name.

Thus, I urge you to be extra cautious. Run a thorough antispyware and antivirus scan of your machine and the USB token itself, preferably using two antispyware tools. Then, if everything still comes up clean, try using the USB token on another computer and see if the same thing happens. If it doesn't, I recommend a reinstall of Windows on the first computer.

More information:

  • Are USB drives a serious enterprise risk? Expert Michael Cobb sets the record straight.
  • Read a chapter on database Trojans.
  • This was first published in April 2007

    There are Comments. Add yours.

     
    TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

    REGISTER or login:

    Forgot Password?
    By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
    Sort by: OldestNewest

    Forgot Password?

    No problem! Submit your e-mail address below. We'll send you an email containing your password.

    Your password has been sent to: