Malicious Trojan infects Windows Media Player

Help and Discussion

Moderator: The Mod Squad

Malicious Trojan infects Windows Media Player

Postby Copper » Tue Jan 11, 2005 2:26 pm

Malicious Trojan infects Windows Media Player
Downloads malicious application when video files are run
Robert Jaques, vnunet.com 11 Jan 2005


Security experts have intercepted two malicious Trojans hidden in video files that download and install spyware, diallers and computer viruses when played in Microsoft Windows Media player.

PandaLabs warned that Trj/WmvDownloader.A and Trj/WmvDownloader.B, are spreading through P2P networks hidden in video files. These Trojans take advantage of technology incorporated in Microsoft Windows Media player called Windows Media Digital Rights Management (DRM), designed to protect the intellectual property rights of multimedia content.

When a user tries to play a protected Windows media file, this technology demands a valid licence. If the license is not stored on the computer, the application will look for it on the internet, so that the user can acquire it directly or buy it. This technology is incorporated through the Windows XP Service Pack 2 + Windows Media Player 10 update.

The video files infected by these Trojans have a .wmv extension and are protected by licences, supposedly issued by the companies overpeer (for Trj/WmvDownloader.A), or protectedmedia (for Trj/WmvDownloader.B).

If the user runs a video file that is infected by one of these Trojans, the files pretend to download the corresponding licence. However, what they actually do is redirect the user to other internet addresses from which they download adware, spyware, diallers (applications that dial-up high rate toll numbers) and viruses, security experts at PandaLabs said.

Below are some examples of the malicious programs and viruses these Trojans download:

Adware/Funweb
Adware/MydailyHoroscope
Adware/MyWay
Adware/MyWebSearch
Adware/Nsupdate
Adware/PowerScan

Adware/Twain-Tech
Dialler Generic
Dialer.NO
Spyware.AdClicker
Spyware/BetterInet
Spyware/ISTbar
Trj/Downloader.GK


"Even though these Trojans have been detected in video files with extremely variable names which can be downloaded through P2P networks like KaZaA or eMule, bear in mind that they can also be distributed through other means, such as files attached to email messages, FTP or Internet downloads, floppy disks, CD-ROM, etc," PandaLabs warned.

"Only two thing are infinite, the universe and human stupidity,and Im not sure about the former." Albert Einstein (1879 - 1955)
Copper
Black Belt 5th Degree
Black Belt 5th Degree
 
Posts: 8640
Joined: Mon Jul 14, 2003 12:38 pm
Location: Midlands UK

Postby kltsin » Wed Jan 12, 2005 1:42 am

At first glance this seems to be the continuation of the scripting used in wmv files where it would look for a licsense and is nothing new.

But also note that if you play a media file the extension may have been changed and windows will inform you of this and ask to play it anyway if you choose to.
A wmv file can be renamed to mp3, wav, mpeg, avi etc.... but can still be played and cause the same ill effects

To safeguard dont use WMP (windows media player) if possible there are alternatives
Winamp is very good
VLC from videolan
KL codec pack or mega codec pack, both include the BS player and a modified media player that can play any file and be safe.

Thanks coppershirt for the info if indeed this is a new strain.
kltsin
Black Belt 2nd Degree
Black Belt 2nd Degree
 
Posts: 2792
Joined: Tue Jun 29, 2004 9:05 am
Location: St. Augustine, Fl

Postby snap355 » Wed Jan 12, 2005 7:04 am

Good info copper
[url=http://www.motherboards.org/folding/index.html] Lend a hand and help with the folding project. Come join our 33258 team!

Image
[/url]
snap355
Black Belt 5th Degree
Black Belt 5th Degree
 
Posts: 9258
Joined: Mon Sep 13, 2004 3:22 pm
Location: 33258


Return to Virus/Spyware/Security

Who is online

Users browsing this forum: No registered users and 2 guests

cron