Home / malware TrojanDownloader:ASX/Wimad.AD
First posted on 04 February 2009.
Source: SecurityHomeAliases :
TrojanDownloader:ASX/Wimad.AD is also known as Also Known As:WMA/TrojanDownloader.GetCodec.Gen (ESET), ASF/Wimad!generic (CA).
Explanation :
TrojanDownloader:ASX/Wimad is a detection for malicious Windows media files that are used in order to encourage users to download and execute arbitrary files on an affected machine. When opened with Windows Media Player, these malicious files open a particular URL in a web browser.
Symptoms
There are no obvious symptoms that indicate the presence of this malware on an affected machine.
TrojanDownloader:ASX/Wimad is a detection for malicious Windows media files that are used in order to encourage users to download and execute arbitrary files on an affected machine. When opened with Windows Media Player, these malicious files open a particular URL in a web browser.
Installation
TrojanDownloader:ASX/Wimad.AD is a malicious Advanced Streaming Format (ASF) file, which when opened by Windows Media Player, urges a user to download and execute an arbitrary file, as in the following example:
At the time of writing the file downloaded is identified as TrojanDownloader:Win32/Tracur.A. We strongly suggest that users avoid downloading and executing any files when prompted by Windows Media Player upon opening streaming format files. Additional InformationSome reports show that the trojan file has been distributed as a malicious MP3 file type that attempts to use social engineering to encourage a user to play it. It has been distributed with suggestive names such as are you lonesome tonight.mp3, for example. Also note that the trojan file size is 3,545,425 bytes but most of its content is filled with zeroes. The file size is padded to around 3 megabytes in size to make sure that it passes for an average mp3 file. Note: One of the telltale signs that there might be something wrong with such an "mp3" file is that the compressed file size will be approximately 100 times less than uncompressed one. In our case the zipped file size is 38,368 bytes. The fact that the file extension is set to mp3 shouldn't be viewed as a characteristic of the trojan; the extension can be changed and the trojan will still try to perform its action as long as the trojan file's extension is registered with the media player (for instance .avi, .asf, .mpg). In the case of the mp3 extension the format of the trojan file does not follow the mp3 file format convention. This might prompt a media player to issue a warning similar to the following example: If <Yes> is selected, the trojan file will be processed by the media player. Performing this action the media player will try to open Internet Explorer and prompt a user to download a file which masquerades as an mp3 codec.
Analysis by Oleg PetrovskyLast update 04 February 2009
