Skip to main content

Notice

Please note that most of the software linked on this forum is likely to be safe to use. If you are unsure, feel free to ask in the relevant topics, or send a private message to an administrator or moderator. To help curb the problems of false positives, or in the event that you do find actual malware, you can contribute through the article linked here.
Topic: New trojan infects audio files and spreads if they're shared (Read 136650 times) previous topic - next topic
0 Members and 1 Guest are viewing this topic.

New trojan infects audio files and spreads if they're shared

A new trojan horse malware is being reported in the wild that infects MP3, WMA and WMV files. It secretly converts MP3 files to the WMA format while keeping the MP3 file extension and adding a special WMA tag that asks the user to install a supposedly missing audio codec. When the user downloads and installs the fake missing codec, the trojan horse sets a registry key that disables the "missing codec" popup, making it seem as if the installation was successful. Meanwhile, it's silently infecting all those media files it can find on that PC, including converting all MP3s to WMA and adding that special tag. Windows Media Player does not mind the wrong extension and plays them back normally.

When those files are shared, they will display the "missing codec" notice again on other PCs, and if that codec is installed, the infection is spreading once again. If Winamp is installed (which can't play the fake MP3 files which really are WMA), its configuration is changed so that all media files will be played by Windows Media Player again instead.

More info:
http://blog.trendmicro.com/infectious-music-malware-style/
http://www.trustedsource.org/blog/132/Troj...ultimedia-files

New trojan infects audio files and spreads if they're shared

Reply #1
Whats so special about that, that it justifies a news entry?

- Microsoft software has long been known support "media" to behave like "applications".
- Microsoft mediaformats have long been used for hijacking WMP for malicious purposes. Its one of the reasons for why i would NEVER use WMP.

The only thing which to me appears to be different here, is that the active code is capable of spreading. But that was just a matter of time to happen. Still, i dont see the problem: WMP users get a justified rude wakeup call for sleeping when they choosed WMP. WMP on the other hand gets more bad press. I like those news - though, it would be nice if it were more emphazed that ONLY MICROSOFT MEDIA PLAYER is affected by this..... just like almost all email-worms only affect outlook.... and so on..... and so on. Its just the same old story again.
I am arrogant and I can afford it because I deliver.

New trojan infects audio files and spreads if they're shared

Reply #2
I like those news - though, it would be nice if it were more emphazed that ONLY MICROSOFT MEDIA PLAYER is affected by this.....


Which most likely has the biggest market share, just like Internet Explorer still has. Despite all the advancements in other players and browsers, the majority of people still don't seem to change the default app from when the OS was installed.

New trojan infects audio files and spreads if they're shared

Reply #3
Well, you know the myth about lemmings
I am arrogant and I can afford it because I deliver.

New trojan infects audio files and spreads if they're shared

Reply #4
Based on the behaviour you reported for this malware, I can only see this effecting people that are very computer illiterate or just plain stupid.

WMP aside...anyone that downloads and installs codecs without at least knowing what they are downloading first and from where is a total idiot.  I never allow programs to choose which codecs I use to play back media.  I research it and get the codec bundles off of sites I know to be trustworthy and even then I still scan them and check to make sure they are what they are.

I honestly don't feel that this malware has a very good chance of spreading fast.
JXL

 

New trojan infects audio files and spreads if they're shared

Reply #5
Well, so i thought myself. Until a friend of mine, whom i set up his PC for personally - including installing Antivirus software, Firefox and so forth - installed a different fake codec a while ago, infecting himself with some trojan. He is your average PC user, far from being PC illiterate or stupid. He was just not aware of the dangers when he installed that. I think that outside a minority of users who really know about all the dangers implied with internet use, the vast majority of people have no idea that such a codec download could lead to a trojan infection. They probably think it's just another notice, like a new Java version, flash player, or whatever else pops up these days.

New trojan infects audio files and spreads if they're shared

Reply #6
This trojan transcodes files? Truly the work of an evil, evil mind...

New trojan infects audio files and spreads if they're shared

Reply #7
This trojan transcodes files? Truly the work of an evil, evil mind...


I wholeheartedly agree with this statement and could not have put it better myself.
Zune 80, Tak -p4 audio library, Lossless=Choice

New trojan infects audio files and spreads if they're shared

Reply #8
They probably think it's just another notice, like a new Java version, flash player, or whatever else pops up these days.
If it pops up when you go to play the file in the trusted Windows Media Player I think users could be forgiven for assuming that WMP was the originator, and would be installing a trusted WMP codec.

This trojan transcodes files? Truly the work of an evil, evil mind...
Yes, those articles failed to mention the main issue here.
I'm on a horse.

New trojan infects audio files and spreads if they're shared

Reply #9
A new trojan horse malware is being reported in the wild that infects MP3, WMA and WMV files. It secretly converts MP3 files to the WMA format while keeping the MP3 file extension and adding a special WMA tag that asks the user to install a supposedly missing audio codec. When the user downloads and installs the fake missing codec, the trojan horse sets a registry key that disables the "missing codec" popup, making it seem as if the installation was successful. Meanwhile, it's silently infecting all those media files it can find on that PC, including converting all MP3s to WMA and adding that special tag. Windows Media Player does not mind the wrong extension and plays them back normally.

When those files are shared, they will display the "missing codec" notice again on other PCs, and if that codec is installed, the infection is spreading once again. If Winamp is installed (which can't play the fake MP3 files which really are WMA), its configuration is changed so that all media files will be played by Windows Media Player again instead.

More info:
http://blog.trendmicro.com/infectious-music-malware-style/
http://www.trustedsource.org/blog/132/Troj...ultimedia-files

I don't understand the mention about changing default player from Winamp to WMP. You would have to launch the file in WMP for the first time to get the infection (which you probably will not as you have Winamp as default player). So anyone using an alternative media player is immune, unless they tried to play the file back in WMP after their regular player fails.

New trojan infects audio files and spreads if they're shared

Reply #10
Some more info on this: http://www.kaspersky.com/news?id=207575664

So with the help of Trojan-Proxy.Win32.Agent, the infected PC is potentially under full external control, or at least they can eavesdrop on your online banking and other important information.


And here's some infection reports of what could become a true epidemic in popular P2P places. Let's analyze some of these to enter the minds of some unsuspecting users, shall we?

1) http://www.techsupportforum.com/microsoft-...lash-codec.html

This user has an up-to-date AV program that warns him of a trojan horse. He questions wether his Antivirus program is to be trusted and ponders ignoring the warning to get rid of the popups.


2) http://www.technologyquestions.com/technol...ving-virus.html

Here some users might have only downloaded infected MP3s, but have not yet installed the fake codec themselves (later however, some users report infection of all their MP3 files). One user suggests a solution that gets rid of the popup messages, advertising it as "deleting the problem" (in fact, it leaves all files and the PC infected). Another user further down recommends running an "fmpeg.exe" from an unknown website to clean the MP3s.


3) http://forums.winamp.com/showthread.php?threadid=292924

Winamp users complain about the effects of the trojan, at first not knowing the cause. After some deliberation, the same fmpeg.exe is suggested to clean the MP3s, leaving the PC still infected by Trojan-Proxy.Win32.Agent.


I think you can draw your own conclusions from this. For the average user, this issue is pretty complicated to grasp, and most just want to get rid of the popups. The easiest way of which appears for them to be the installation of the "codec". If they become aware of an infection, they use insufficient means to get rid of it.

New trojan infects audio files and spreads if they're shared

Reply #11
Still, i dont see the problem: WMP users get a justified rude wakeup call for sleeping when they choosed WMP.

It's problematic to leave out Windows Media when configuring a computer for the average user. There are plenty of websites with streaming in WM format, working only with Explorer and Media Player. I of course would go around these sites myself. But the user doesn't understand why my secure computer does not play his online TV, radio, or social networking site.

New trojan infects audio files and spreads if they're shared

Reply #12
Quote
Still, i dont see the problem: WMP users get a justified rude wakeup call for sleeping when they choosed WMP


Both Quicktime and Winamp have had their share of metadata exploits, so I wouldn't be too harsh on WMP users.

New trojan infects audio files and spreads if they're shared

Reply #13
Whats so special about that, that it justifies a news entry?
That's a very silly thing to say Lyx. For most normal users, this could be the biggest digital audio news story since they bought an mp3 player.

I love the naive geek mentality in this thread that people deserve to be punished for using WMP. I know some true nerds find it impossible to grasp, but some "normal" people actually buy computers to do things beyond maintaining the computer itself!


As an example, I would say one of the biggest new uses of PC in the UK recently is the BBC iPlayer. Its success is phenomenal, and threatens to bring ISPs to their knees - try using the high quality version without WMP!

This is what people buy PCs for - to play their music, email friends, watch video etc etc etc. If it crashes around their ears, it's not their fault.

Imagine if we were talking about cars. What if you popped a CD from a friend into the factory fitted stereo, and it spontaneously wrecked every subsequent CD you put in, and made the car crash! Would any sane person be saying "well, it serves these idiots right who rely on the factory fitted stereo - what do they expect?".

It's not a reasonable attitude. I know where the fault lies, and its not with the users.

Mind you, that nice codec download functionality in WMP (from at least 6.4 onwards) is very useful for "normal" users. It's how my Mum-in-law managed to watch the first videos of our son on the same day he was born. I can't imagine her downloading and installing VLC quite as easily as simply opening the attachment I sent her and clicking OK to everything that followed.

Cheers,
David.

New trojan infects audio files and spreads if they're shared

Reply #14
OMFG a trojan that transcodes audio files, and set WMP as the default player. That is a really nasty evil pos virus.

Looks like its main target is for the average and computer n00b user, who have that awful something for nothing attitude.
"I never thought I'd see this much candy in one mission!"

New trojan infects audio files and spreads if they're shared

Reply #15
So, how can you tell an mp3 from a wma, say in a hex editor?  There are tag areas and headers, but I can change an .mp3 to .wma and many utilities take the 'word' of the file extension, and go ahead and report bitrate, etc.

I had an incident around the time of Vista SPI, where as I recall, I 'caught' WMP (which I try to keep from launching in spite of it's determination to do so), resizing my cover art in album mp3 folders, and embedding it in the mp3s.  I have mp3s (of cds I own) which are encoded by such as fhg, at 96kbps, and I've never been able to figure this out.  I have used LAME as long as I can remember.  Dylan is a big target.

Is this the trojan?  I always thought it was MS being helpful.  It really has infuriated me.

I use Foobar2000, and it plays them fine.  There is also a folder full of some sort of copies of the album art?  Is this just part of Vista?  It scares me how helpful they can be.  If you want to use WMP, it is probably very nice, but if it cranks, it is going to index every file on your computer and is nearly impossible to shut off. 

AVG reports no problems here.  I cannot find anything with google about actually detecting the thing.  Could it be a hoax?

New trojan infects audio files and spreads if they're shared

Reply #16
In this Yahoo press release, HA is mentioned as discussing this new trojan horse virus. JXL (JunkieXL) and CiTay are quoted in the article.

Edit: Spelling
Surf's Up!
"Columnated Ruins Domino"

New trojan infects audio files and spreads if they're shared

Reply #17
In this Yahoo press release, HA is mentioned as discussing this new trojan horse virus. JXL (JunkieXL) and CiTay are quoted in the article.

Edit: Spelling


It really makes me smile to see Hydrogenaudio cited by mainstream press. It's been a long journey, but now it feels like we're getting some recognition, even if the name is misspelled in the article.

I wonder if that's enough to make Hydrogenaudio a credible site by Wikipedia standards? Puts a bit of a different spin on the foobar2000 Votes for Deletion page that was up a while back.

I know this is quite off-topic, but there's really nowhere else I'd trust for information about something like this.

New trojan infects audio files and spreads if they're shared

Reply #18
Whats so special about that, that it justifies a news entry?
That's a very silly thing to say Lyx. For most normal users, this could be the biggest digital audio news story since they bought an mp3 player.

Still doesn't make sense. Are we now going to report on every WMP exploit out there? You know, in that case, this website really would frequently have "news" :-)

And no, i have no pity for those "poor noobs".... not because they are noobs, but because they are unwilling to do something about their noobness - they want to use something without understanding it - permanently.... exactly the target audience, which created this kind of "market". And with this noobness, i do not just mean indepth tech knowledge, but more specifically a mindset which is investigative and self-determined - simple observations, asking questions like "is this trustworthy?" and taking consequences. It doesn't take years to get that microsoft products are not trustworthy.... if one does already - for practical reasons - use an MS OS, then at least keep the amount of additional MS apps down. Computers are not for everyone, because they are powerful and networked.... without the required responsibility, you get a marked of slaves-by-choice... and where there are slaves, there will be abuse.

All i see here, is something coming full circle.... again.
I am arrogant and I can afford it because I deliver.

New trojan infects audio files and spreads if they're shared

Reply #19
Hope this will boost up the adoption of OGG/Vorbis... dhehe !


New trojan infects audio files and spreads if they're shared

Reply #21
And that is why a computer should never been operated with Administrator/root privileges, but only as a regular/limited user. Unfortunately, the default setup of most Microsoft operating systems is still to always use the computer with full rights, and I can predict that such a trojan will fool many people.

New trojan infects audio files and spreads if they're shared

Reply #22
And that is why a computer should never been operated with Administrator/root privileges, but only as a regular/limited user. Unfortunately, the default setup of most Microsoft operating systems is still to always use the computer with full rights, and I can predict that such a trojan will fool many people.


This has nothing to do with user permissions or even the OS. The fundamental issue is that the user is compelled to download something from an unreputable source, and the installation process is made absolutely trivial. If WMP were ported to Linux and run by non-root the exact same issues would pop up, except that perhaps gaining root access becomes slightly harder for the malware.

Disabling MS's codec autodownload is the obvious and straightforward solution, and/or making all codec downloads occur from a centralized location.

New trojan infects audio files and spreads if they're shared

Reply #23
The fundamental issue is that the user is compelled to download something from an unreputable source

Not exactly.  No one compelled the user to download an infected media file from a disreputable source.

New trojan infects audio files and spreads if they're shared

Reply #24
I've used WMP for video playback and I can understand how this would happen to the average user.  People typically "trust" Microsoft  applications and follow the suggestions they provide.  Not really the smartest thing to do, but I can see how it happens.

Microsoft needs to make the codecs available in a safer environment instead of pointing their users to outside 3rd part sources.  For instance...any time there is a codec update with iTunes you are provided with the new codec through a secure source from Apple usually included within the program itself.  WMP player just provides a bunch of links and tries to sell you the codec bundles off of their website or have you upgrade WMP to the pro versions...
JXL

edit: grammar