savvy2005-01-12 12:33:52
Malicious Trojan infects Windows Media Player

Downloads malicious application when video files are run
Robert Jaques, vnunet.com 11 Jan 2005

Security experts have intercepted two malicious Trojans hidden in video files that download and install spyware, diallers and computer viruses when played in Microsoft Windows Media player.

PandaLabs warned that Trj/WmvDownloader.A and Trj/WmvDownloader.B, are spreading through P2P networks hidden in video files. These Trojans take advantage of technology incorporated in Microsoft Windows Media player called Windows Media Digital Rights Management (DRM), designed to protect the intellectual property rights of multimedia content.

When a user tries to play a protected Windows media file, this technology demands a valid licence. If the license is not stored on the computer, the application will look for it on the internet, so that the user can acquire it directly or buy it. This technology is incorporated through the Windows XP Service Pack 2 + Windows Media Player 10 update.

The video files infected by these Trojans have a .wmv extension and are protected by licences, supposedly issued by the companies overpeer (for Trj/WmvDownloader.A), or protectedmedia (for Trj/WmvDownloader.B).

If the user runs a video file that is infected by one of these Trojans, the files pretend to download the corresponding licence. However, what they actually do is redirect the user to other internet addresses from which they download adware, spyware, diallers (applications that dial-up high rate toll numbers) and viruses, security experts at PandaLabs said.

Below are some examples of the malicious programs and viruses these Trojans download:

Adware/Funweb
Adware/MydailyHoroscope
Adware/MyWay
Adware/MyWebSearch
Adware/Nsupdate
Adware/PowerScan

Adware/Twain-Tech
Dialler Generic
Dialer.NO
Spyware.AdClicker
Spyware/BetterInet
Spyware/ISTbar
Trj/Downloader.GK


"Even though these Trojans have been detected in video files with extremely variable names which can be downloaded through P2P networks like KaZaA or eMule, bear in mind that they can also be distributed through other means, such as files attached to email messages, FTP or Internet downloads, floppy disks, CD-ROM, etc," PandaLabs warned.

For further information about Trj/WmvDownloader.A, Trj/WmvDownloader.B or the malicious programs and viruses these Trojans try to download, click here