In 2006, McDonald’s fast food in Japan ran a nationwide promotional campaign in partnership with Coca-Cola. Customers who bought participating Coca-Cola products needed to remove a sticker from the drink and enter a unique code on the McDonald’s website for a chance to win prizes. One of the main prizes was a USB-based MP3 player, with 10,000 units available to be distributed to winners across the country. The devices were marketed as simple flash-style MP3 players and were preloaded with 10 free songs before being shipped to contest winners.
The promotion itself ran from August 4th to 31st, 2006, with the MP3 players shipped out to winners in late September 2006, after the contest period ended. At the time, there was no indication to customers that the devices posed any risk. They were meant to be plugged directly into Windows PCs via USB, allowing users to both play music and manage files, a common design for MP3 players in the mid-2000s.
Shortly after distribution began, it was discovered that the MP3 players were infected with malware. The company then began receiving reports of virus detection alerts and, after an investigation carried out by Trend Micro following receipt of samples of the infected MP3 players around September 29, confirmed the presence of a virus. However, Trend Micro assessed the potential damage to an infected computer as high, while considering the overall risk low due to the limited number of reported infections.
The malicious program was identified as a variant of the QQPass Trojan (WORM_QQPASS.ADH), which had the ability to copy itself to removable media and spread between systems. It was designed to steal login credentials from the popular Chinese messenging service QQ Instant Messenger (formerly known as OICQ), as well as other sensitive data from infected computers, before sending the information to email addresses of associated hackers.
The malware was embedded on the MP3 players themselves, meaning users did not need to download anything for an infection to occur. Simply connecting the device to a Windows computer was enough to expose the system to risk. However, it is believed that the infection occurred during the content-loading process—the transfer of the songs—via an already contaminated computer, and not an intentional act by McDonald’s, before the devices were distributed to prize winners.
Once the problem was confirmed, McDonald’s Japan began warning prize winners on October 13 and moved to recall all 10,000 MP3 players distributed through the promotion. The company issued a public apology and warned customers not to connect the devices to their computers, acknowledging that the MP3 players could potentially compromise personal data if used on Windows systems.
To address the situation, McDonald’s Japan set up a dedicated customer helpline and posted guidance on its Japanese website. The company provided instructions on how customers could check whether their computers had been infected and directed them to an antivirus removal tool offered by Trend Micro Inc. that can remove the Trojan from affected computers. Customers who had received the infected MP3 players were asked to return them and were promised replacement devices free of malware.
