WMV (Windows Media Player) trojan in wild

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: WMV (Windows Media Player) trojan in wild
From: Marc Bejarano <bugtraq@xxxxxxxx>
Date: Tue, 11 Jan 2005 11:46:17 -0400
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

from http://www.pandasoftware.com/about/press/viewNews.aspx?noticia=5818
===
Video files appear that download malicious application when they are run

01/10/2005. These files are .wmv files infected by Trj/WmvDownloader.A andTrj/WmvDownloader.B, two Trojans that take advantage of a new technologyincorporated in Microsoft Windows Media player to install spyware, adwareand dialers, as well as computer viruses

PandaLabs has detected the appearance of two new Trojans,Trj/WmvDownloader.A and Trj/WmvDownloader.B, which are spreading throughP2P networks in video files. These Trojans take advantage of the newtechnology incorporated in Microsoft Windows Media player called WindowsMedia Digital Rights Management (DRM), designed to protect the intellectualproperty rights of multimedia content. When a user tries to play aprotected Windows media file, this technology demands a valid license. Ifthe license is not stored on the computer, the application will look for iton the Internet, so that the user can acquire it directly or buy it. Thisnew technology is incorporated through the Windows XP Service Pack 2 +Windows Media Player 10 update.

The video files infected by these Trojans have a .wmv extension and areprotected by licenses, supposedly issued by the companies overpeer (forTrj/WmvDownloader.A), or protectedmedia (for Trj/WmvDownloader.B). If theuser runs a video file that is infected by one of these Trojans, theypretend to download the corresponding license from certain web pages.However, what they actually do is redirect the user to other Internetaddresses from which they download a large number adware (programs thatdisplay advertisements on screen), spyware, dialers (applications thatdial-up high rate toll numbers) and other viruses. Below are some examplesof the malicious programs and viruses these Trojans download:


Adware/Funweb

Adware/MydailyHoroscope

Adware/MyWay

Adware/MyWebSearch

Adware/Nsupdate

Adware/PowerScan

Adware/Twain-Tech

Dialer Generic

Dialer.NO

Spyware.AdClicker

Spyware/BetterInet

Spyware/ISTbar

Trj/Downloader.GK

Even though these Trojans have been detected in video files with extremelyvariable names which can be downloaded through P2P networks like KaZaA oreMule, bear in mind that they can also be distributed through other means,such as files attached to email messages, FTP or Internet downloads, floppydisks, CD-ROM, etc. Panda Software has made the corresponding updates toits anti-malware solutions available to its clients to detect and disinfectany video file protected by the licenses used by Trj/WmvDownloader.A andTrj/WmvDownloader.B to carry out their malicious actions. Similarly, thePanda Software solutions protect users against the malware that theseTrojans try to install on computers.

For further information about Trj/WmvDownloader.A, Trj/WmvDownloader.B orthe malicious programs and viruses these Trojans try to download, visitPanda Software's Virus Encyclopedia

===

marc

Prev by Date: Squirrelmail vacation v0.15 local root exploit
Next by Date: Portcullis Security Advisory 05-008
Previous by thread: Re: Squirrelmail vacation v0.15 local root exploit
Next by thread: Portcullis Security Advisory 05-008
Index(es):
- Date
- Thread