IPB

Welcome Guest ( Log In | Register )

New trojan infects audio files and spreads if they're shared, Worm.Win32.GetCodec.a / TROJ_MEDPINCH.A / Trojan.ASF.Hijacker.gen
CiTay
post Jul 17 2008, 22:18
Post #1


Administrator


Group: Admin
Posts: 2378
Joined: 22-September 01
Member No.: 3



A new trojan horse malware is being reported in the wild that infects MP3, WMA and WMV files. It secretly converts MP3 files to the WMA format while keeping the MP3 file extension and adding a special WMA tag that asks the user to install a supposedly missing audio codec. When the user downloads and installs the fake missing codec, the trojan horse sets a registry key that disables the "missing codec" popup, making it seem as if the installation was successful. Meanwhile, it's silently infecting all those media files it can find on that PC, including converting all MP3s to WMA and adding that special tag. Windows Media Player does not mind the wrong extension and plays them back normally.

When those files are shared, they will display the "missing codec" notice again on other PCs, and if that codec is installed, the infection is spreading once again. If Winamp is installed (which can't play the fake MP3 files which really are WMA), its configuration is changed so that all media files will be played by Windows Media Player again instead.

More info:
http://blog.trendmicro.com/infectious-music-malware-style/
http://www.trustedsource.org/blog/132/Troj...ultimedia-files
Go to the top of the page
+Quote Post
 
Start new topic
Replies
Gabriel
post Jul 18 2008, 17:54
Post #2


LAME developer


Group: Developer
Posts: 2950
Joined: 1-October 01
From: Nanterre, France
Member No.: 138



And that is why a computer should never been operated with Administrator/root privileges, but only as a regular/limited user. Unfortunately, the default setup of most Microsoft operating systems is still to always use the computer with full rights, and I can predict that such a trojan will fool many people.
Go to the top of the page
+Quote Post
Axon
post Jul 18 2008, 18:08
Post #3





Group: Members (Donating)
Posts: 1984
Joined: 4-January 04
From: Austin, TX
Member No.: 10933



QUOTE (Gabriel @ Jul 18 2008, 11:54) *
And that is why a computer should never been operated with Administrator/root privileges, but only as a regular/limited user. Unfortunately, the default setup of most Microsoft operating systems is still to always use the computer with full rights, and I can predict that such a trojan will fool many people.


This has nothing to do with user permissions or even the OS. The fundamental issue is that the user is compelled to download something from an unreputable source, and the installation process is made absolutely trivial. If WMP were ported to Linux and run by non-root the exact same issues would pop up, except that perhaps gaining root access becomes slightly harder for the malware.

Disabling MS's codec autodownload is the obvious and straightforward solution, and/or making all codec downloads occur from a centralized location.
Go to the top of the page
+Quote Post

Posts in this topic
- CiTay   New trojan infects audio files and spreads if they're shared   Jul 17 2008, 22:18
- - Lyx   Whats so special about that, that it justifies a n...   Jul 17 2008, 22:27
|- - CiTay   QUOTE (Lyx @ Jul 17 2008, 22:27) I like t...   Jul 17 2008, 22:35
|- - j7n   QUOTE (Lyx @ Jul 18 2008, 00:27) Still, i...   Jul 18 2008, 13:20
||- - eofor   QUOTE Still, i dont see the problem: WMP users get...   Jul 18 2008, 13:30
|- - 2Bdecided   QUOTE (Lyx @ Jul 17 2008, 22:27) Whats so...   Jul 18 2008, 14:55
|- - Lyx   QUOTE (2Bdecided @ Jul 18 2008, 15:55) QU...   Jul 18 2008, 17:19
|- - Northpack   QUOTE (Lyx @ Jul 18 2008, 16:19) And no, ...   Jul 22 2008, 12:59
||- - Lyx   QUOTE (Northpack @ Jul 22 2008, 13:59) No...   Jul 22 2008, 13:46
|- - GeSomeone   QUOTE (Lyx @ Jul 18 2008, 18:19) And no, ...   Jul 22 2008, 14:39
|- - Lyx   QUOTE (GeSomeone @ Jul 22 2008, 15:39) QU...   Jul 22 2008, 15:39
- - Lyx   Well, you know the myth about lemmings   Jul 17 2008, 22:43
- - JunkieXL   Based on the behaviour you reported for this malwa...   Jul 17 2008, 22:55
|- - CiTay   Well, so i thought myself. Until a friend of mine,...   Jul 17 2008, 23:02
|- - valnar   QUOTE (JunkieXL @ Jul 17 2008, 13:55) I c...   Jul 19 2008, 14:39
- - Canar   This trojan transcodes files? Truly the work of an...   Jul 17 2008, 23:09
|- - Gow   QUOTE (Canar @ Jul 17 2008, 18:09) This t...   Jul 18 2008, 00:51
|- - Ojay   QUOTE (Canar @ Jul 18 2008, 00:09) This t...   Jul 21 2008, 13:34
- - Synthetic Soul   QUOTE (CiTay @ Jul 17 2008, 23:02) They p...   Jul 18 2008, 06:40
- - Martel   QUOTE (CiTay @ Jul 17 2008, 13:18) A new ...   Jul 18 2008, 10:22
- - CiTay   Some more info on this: http://www.kaspersky.com/n...   Jul 18 2008, 11:39
- - /mnt   OMFG a trojan that transcodes audio files, and set...   Jul 18 2008, 15:09
- - noorotic   So, how can you tell an mp3 from a wma, say in a h...   Jul 18 2008, 15:27
- - drbeachboy   In this Yahoo press release, HA is mentioned as di...   Jul 18 2008, 16:20
|- - Canar   QUOTE (drbeachboy @ Jul 18 2008, 08:20) I...   Jul 18 2008, 16:42
|- - JunkieXL   QUOTE (drbeachboy @ Jul 18 2008, 07:20) I...   Jul 18 2008, 17:37
- - PatchWorKs   Hope this will boost up the adoption of OGG/Vorbis...   Jul 18 2008, 17:36
- - Gabriel   And that is why a computer should never been opera...   Jul 18 2008, 17:54
|- - Axon   QUOTE (Gabriel @ Jul 18 2008, 11:54) And ...   Jul 18 2008, 18:08
|- - greynol   QUOTE (Axon @ Jul 18 2008, 10:08) The fun...   Jul 18 2008, 18:29
|- - Gabriel   QUOTE (Axon @ Jul 18 2008, 19:08) This ha...   Jul 19 2008, 08:18
|- - Lyx   QUOTE (Gabriel @ Jul 19 2008, 09:18) It s...   Jul 19 2008, 11:02
|- - Axon   QUOTE (Gabriel @ Jul 19 2008, 02:18) QUOT...   Jul 19 2008, 19:28
|- - Gabriel   QUOTE (Axon @ Jul 19 2008, 20:28) QUOTE (...   Jul 20 2008, 17:57
|- - Lyx   QUOTE (Gabriel @ Jul 20 2008, 18:57) (btw...   Jul 20 2008, 19:39
|- - caligae   QUOTE (Lyx @ Jul 20 2008, 20:39) The trut...   Jul 20 2008, 20:07
|- - Lyx   QUOTE (caligae @ Jul 20 2008, 21:07) To s...   Jul 20 2008, 20:24
- - JunkieXL   I've used WMP for video playback and I can und...   Jul 18 2008, 18:45
- - [JAZ]   QUOTE (Lyx @ Jul 18 2008, 18:19) Computer...   Jul 18 2008, 19:06
|- - Lyx   QUOTE ' date='Jul 18 2008, 20:06' post...   Jul 18 2008, 19:22
||- - drbeachboy   QUOTE (Lyx @ Jul 18 2008, 14:22) QUOTE ...   Jul 18 2008, 19:42
|- - Axon   QUOTE ' date='Jul 18 2008, 13:06' post...   Jul 18 2008, 19:42
- - dissociative   just another reason more for not to use MP3. if yo...   Jul 18 2008, 20:02
|- - Canar   QUOTE (dissociative @ Jul 18 2008, 12:02)...   Jul 18 2008, 20:03
|- - j7n   QUOTE (dissociative @ Jul 18 2008, 22:02)...   Jul 18 2008, 22:52
|- - Lyx   Why even have all those codecs? There are so many ...   Jul 18 2008, 23:26
- - Axon   Isn't this worth posting on the front page?   Jul 18 2008, 20:07
- - /mnt   Looks like we will be better using AAC or Vorbis ...   Jul 19 2008, 00:35
- - Kitsuned   I scanned and updated my sister's computer and...   Jul 19 2008, 16:09
- - JeffStickney   By default WMP automatically installs codecs. Und...   Jul 19 2008, 19:19
- - slks   I don't think this is new, I remember reading ...   Jul 19 2008, 20:37
|- - JeffStickney   QUOTE (slks @ Jul 19 2008, 15:37) I don...   Jul 20 2008, 00:32
- - Mr_Rabid_Teddybear   Oh how much simpler my life has become since I swi...   Jul 19 2008, 23:46
|- - PatchWorKs   QUOTE (Mr_Rabid_Teddybear @ Jul 20 2008, 00...   Jul 22 2008, 09:00
|- - shadowking   QUOTE (PatchWorKs @ Jul 22 2008, 18:00) Q...   Jul 22 2008, 10:08
- - Lyx   This only affects the "modern" version o...   Jul 20 2008, 00:40
|- - j7n   The old mplayer2.exe (version 6.4) is also trying ...   Jul 20 2008, 01:00
- - Lyx   Renamed. Thanks for the info!   Jul 20 2008, 01:04
|- - j7n   But mplayer2 is just a small program loading msdxm...   Jul 20 2008, 01:49
- - Lyx   I know. I just want to break the chain, since asum...   Jul 20 2008, 11:04
- - noorotic   Ok, as someone who was using shorten before FLAC e...   Jul 20 2008, 11:38
|- - j7n   What does downloading of music and the speed of yo...   Jul 20 2008, 13:06
- - shadowking   Like gabriel said, windows illness is because of ...   Jul 21 2008, 01:46
- - prankstare   Sweet Jesus! That's why I never trust any ...   Jul 21 2008, 05:29
- - smok3   i agree about UA in win (xp at least), but i don...   Jul 21 2008, 17:03
- - smok3   i wonder when it will be possible to install say a...   Jul 22 2008, 09:21
|- - Lyx   QUOTE (smok3 @ Jul 22 2008, 10:21) i wond...   Jul 22 2008, 09:38
- - 2Bdecided   I'm hardly a "clueless n00b", but un...   Jul 22 2008, 14:47
|- - washu   QUOTE (2Bdecided @ Jul 22 2008, 09:47) I...   Jul 22 2008, 14:56
- - Lyx   QUOTE I'm hardly a "clueless n00b", ...   Jul 22 2008, 16:10
|- - j7n   Actually Media Player Classic also has own codecs ...   Jul 22 2008, 16:36
- - 2Bdecided   I use VLC. I'm not a fan of it, it's just ...   Jul 22 2008, 16:30
- - JunkieXL   Windows Media Classic works well. I would recomme...   Jul 22 2008, 17:50
- - 2Bdecided   IME relying on ffdshow for "decoding just abo...   Jul 22 2008, 18:24
- - JunkieXL   I use it primarily for h.264 A/V media in conjunct...   Jul 22 2008, 19:25
- - simonh   Sorry, but this a bit funny. Reminds me of an emai...   Jul 22 2008, 21:50
|- - j7n   Ffdshow can indeed be used for just about every fo...   Jul 23 2008, 04:03
- - smok3   about the windows noobines, not entirely users fau...   Jul 24 2008, 11:01
|- - LaserSokrates   QUOTE (smok3 @ Jul 24 2008, 12:01) Chapte...   Jul 24 2008, 19:23
|- - j7n   Windows can be made lean, fast and secure (maybe n...   Jul 24 2008, 19:37
|- - PatchWorKs   QUOTE (LaserSokrates @ Jul 24 2008, 20:23...   Jul 27 2008, 10:00
- - smok3   Step 3: No, i don't need open office and i don...   Jul 24 2008, 19:32
- - smok3   j7n: now somebody will start with 'wine'   Jul 24 2008, 19:40
|- - shadowking   QUOTE (smok3 @ Jul 25 2008, 04:40) j7n: n...   Jul 27 2008, 11:57
|- - Martel   QUOTE (shadowking @ Jul 27 2008, 02:57) W...   Jul 27 2008, 14:37
- - LaserSokrates   Well, I claim I too am able to make Windows XP sec...   Jul 24 2008, 21:38
|- - Gabriel   QUOTE (LaserSokrates @ Jul 24 2008, 22:38...   Jul 25 2008, 08:08
- - smok3   QUOTE Why make a chapter about securing your OS? W...   Jul 24 2008, 21:57
|- - j7n   M$' target market is people who don't...   Jul 24 2008, 22:14
- - greynol   Is some other OS was king, I suppose more efforts ...   Jul 24 2008, 22:05
- - smok3   1. i think that the problem is that there is a lar...   Jul 24 2008, 23:06
- - hlloyge   As I see it, the problem are the users who think t...   Jul 25 2008, 10:47
|- - Lyx   QUOTE (hlloyge @ Jul 25 2008, 11:47) A lo...   Jul 25 2008, 11:10
- - smok3   QUOTE it is up to user to inform him or hrself how...   Jul 25 2008, 11:44
|- - LaserSokrates   QUOTE (smok3 @ Jul 25 2008, 12:44) QUOTE ...   Jul 25 2008, 13:26
|- - ggf31416   QUOTE (LaserSokrates @ Jul 25 2008, 09:26...   Jul 27 2008, 14:36
|- - shadowking   QUOTE (ggf31416 @ Jul 27 2008, 23:36) QUO...   Jul 27 2008, 14:51
|- - Nick.C   QUOTE (shadowking @ Jul 27 2008, 14:51) A...   Jul 27 2008, 15:00
- - Lyx   Probably depends on how one defines "stupidit...   Jul 25 2008, 14:16
- - smok3   QUOTE most people who buy a PC, a device so powerf...   Jul 27 2008, 18:16
2 Pages V   1 2 >


Reply to this topicStart new topic
1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)
0 Members:

 



RSS Lo-Fi Version Time is now: 29th July 2014 - 05:03