lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <6.0.3.0.2.20050111114220.0470b920@127.0.0.1>
Date: Tue, 11 Jan 2005 11:46:17 -0400
From: Marc Bejarano <bugtraq@...j.org>
To: bugtraq@...urityfocus.com
Subject: WMV (Windows Media Player) trojan in wild


from http://www.pandasoftware.com/about/press/viewNews.aspx?noticia=5818
===
Video files appear that download malicious application when they are run

01/10/2005. These files are .wmv files infected by Trj/WmvDownloader.A and 
Trj/WmvDownloader.B, two Trojans that take advantage of a new technology 
incorporated in Microsoft Windows Media player to install spyware, adware 
and dialers, as well as computer viruses

PandaLabs has detected the appearance of two new Trojans, 
Trj/WmvDownloader.A and Trj/WmvDownloader.B, which are spreading through 
P2P networks in video files. These Trojans take advantage of the new 
technology incorporated in Microsoft Windows Media player called Windows 
Media Digital Rights Management (DRM), designed to protect the intellectual 
property rights of multimedia content. When a user tries to play a 
protected Windows media file, this technology demands a valid license. If 
the license is not stored on the computer, the application will look for it 
on the Internet, so that the user can acquire it directly or buy it. This 
new technology is incorporated through the Windows XP Service Pack 2 + 
Windows Media Player 10 update.

The video files infected by these Trojans have a .wmv extension and are 
protected by licenses, supposedly issued by the companies overpeer (for 
Trj/WmvDownloader.A), or protectedmedia (for Trj/WmvDownloader.B). If the 
user runs a video file that is infected by one of these Trojans, they 
pretend to download the corresponding license from certain web pages. 
However, what they actually do is redirect the user to other Internet 
addresses from which they download a large number adware (programs that 
display advertisements on screen), spyware, dialers (applications that 
dial-up high rate toll numbers) and other viruses. Below are some examples 
of the malicious programs and viruses these Trojans download:

Adware/Funweb

Adware/MydailyHoroscope

Adware/MyWay

Adware/MyWebSearch

Adware/Nsupdate

Adware/PowerScan

Adware/Twain-Tech

Dialer Generic

Dialer.NO

Spyware.AdClicker

Spyware/BetterInet

Spyware/ISTbar

Trj/Downloader.GK

Even though these Trojans have been detected in video files with extremely 
variable names which can be downloaded through P2P networks like KaZaA or 
eMule, bear in mind that they can also be distributed through other means, 
such as files attached to email messages, FTP or Internet downloads, floppy 
disks, CD-ROM, etc.   Panda Software has made the corresponding updates to 
its anti-malware solutions available to its clients to detect and disinfect 
any video file protected by the licenses used by Trj/WmvDownloader.A and 
Trj/WmvDownloader.B to carry out their malicious actions. Similarly, the 
Panda Software solutions protect users against the malware that these 
Trojans try to install on computers.

For further information about Trj/WmvDownloader.A, Trj/WmvDownloader.B or 
the malicious programs and viruses these Trojans try to download, visit 
Panda Software's Virus Encyclopedia
===

marc



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ