GetCodec.A says hello to multimedia files
Posted by: Marco Giuliani
This malware, that some security companies decided to detect as worm while in my opinion it should be detected as a trojan, has been called Trojan.GetCodec.A and it makes use of a singular infection technique.
This trojan, after it gets executed, enumerates all files inside the system looking for those files that have .MP2 .MP3 .WMA .WMV .ASF extensions. If a file with this criteria is found, then the malware checks if it's already infected or not by analyzing its ASF header looking for a specific script.
This trojan alters the header of an .ASF file - .WMA and .WMV files are already coded in the .ASF format - by adding a special script that makes Windows Media Player to connect to a specific website and download another malware disguised as a fake codec needed to play the multimedia file.
If the trojan finds a file with .MP3 or .MP2 extension then it converts them to a .ASF format. After it converted the target multimedia file and left the extension and file name as the original one, the downloader script is added to the header of the .ASF file just created.
The script added by the trojan utilizes URLANDEXIT command to makes Windows Media Player connect to a website and download the fake codec. Microsoft allows to disable this command by changing the value URLAndExitCommandsEnabled to 0 (it's 1 by default) under:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\MediaPlayer\Preferences.
This infection technique is quite interesting if you think about Peer2Peer. Millions of MP3 files are shared everyday and millions of users use Windows Media Player to listen music. This trojan can potentially starts a new trend of infections that attack multimedia files. Until now audio and video files have been relatively harmless, except malformed files that exploit some player bug or fake .ASF files that contain only a link to a malware website without having any audio stream inside.
Anyway, a mass infection like the one followed by this trojan could potentially start a widespread and dangerous new trend.
12 comments so far
- Marco on 21/07/2008 18:28:00
- Rafael Mercado on 22/07/2008 20:32:36
- Matthew on 03/08/2008 02:34:48
- Oto on 25/08/2008 20:48:28
- andre leandro on 17/09/2008 13:35:23
- Steve Herrmann on 30/10/2008 18:22:05
- sello on 07/11/2008 14:20:27
- Nic on 04/02/2009 11:30:13
- Gerry on 05/02/2009 03:24:57
- Tony Brown on 24/09/2009 12:38:09
That's not Windows Media Player by itself that downloads the malware. The embedded script instructs Windows Media Player to open your browser and download malware from there.
Marco
Marco, I'm Rafael Mercado, from Mexico. I just got this trojan (even do symantec calls it "Trojan.Brisv.A") and seems that you could have a better idea of how to remove it. I tried to follow the instructions from Symantec but they are confuse to me (specifically I don't understand what should be the "previous" values of the registry entries to be restored).
I had several hundreds of mp3 files in my computer and I don't know how to check how many of them are infected, and if so, if I have to manually delete all of them in order to get the virus off of my computer.
I also read in a blog that there is a program (FS_MP3Fix.zip) that supposely fix the infected mp3 files but I.m not sure if it really works in this case. Maybe you can take a look on it and verify how useful is this program. I'll appreciate your help. Thanks in advance.
Hey Marco,
Have you had much success with your cleaner? If so I would ask that you release it as this problem seems to be growing daily with no apparent fix for video files (there is one for mp3 files). Although, the fixes dont detect the trojan itself, rather they just remove the altered code from media files. One website claims that AVG, NOD32, F-Secure, and a couple of other programs detect and remove this issue, however AVG did not work for me.
When this ASF Getcodec cleaner/healer will be published?
hi! i have hundred mp3 in my computer, and get infected by this trojan... i'm waiting some program that i can eliminate this trojan without delete all my music files...
Hello Marco. Thanks for you help, this is the first post I've found relating to this problem, which I have been trying to track down for days.
You say you will most likely release a cleaner - HAVE YOU?? and if so where can I get it???
thanks again for your help.
Hi
I had this trojan.brisv.A virus that damaged my mp3 files. I removed the virus with symantec fixBrisvA tool. Well that removes the virus. You just run it and it removes the virus. But it does not fix the mp3 files. However FS-mp3fix does fix the mp3 files. But now I have thousands of music folders that I don't have time to go fix them one by one. Is there a way that I can fix all of my folders with just 1 click and every file goes into its rightful folder while the tags also appear?
Thanks
I also have this virus, through limewire. It was spotted by Norton, which directed me to download FixBrisvA.exe, I followed the instructions to remove the virus and now both Norton and FixBrisvA are both saying the virus cannot be found on my system but I am sure it is still here. This is because I know the source of the virus is a particular mp3 file that I still cannot delete, even as admin.
I am planning to stay tuned to this site for an extra info or a solution to the trojan!
Use this stuff all the time, but never bothered myself to understand it all. I got the Bris trojan, and used the symantec fixBrisvA removal tool. Now what??? Are my mpg, wav, etc.. short videos and all contaminated? What about music?? I use nero player for mpg's and music, WMP, and itunes. Is all my media contaminated??? Ready to relaunch the trojan, next time I use, listen or view them???
And what about multiple drives?? I have 3, with my OS on C, and hundreds of my cd's on F. Easily over 300 of my cd's, and I don't even know how much music from online. What, if any, is safe?? Or is all of it Polluted?? Is there a song by song, mpeg by mpe fix, NOW. Or maybe some way to scan and fix them all to come out eventually?? Perhaps record everything polluted to a disc, wipe my drives, reconfigure my computer after wiping everything, then hope to be able to clean this stuff up at some later, undefinable date???
Also, symantec had registry changes they reccomended. I couldn't find any of those specific headings in my registry. None of their reccomended fixes were there for me to find and fix. Now what??? My scans are not showing up the Bras trojan, but it IS still infecting my media???? And my registry???
Looked in a bunch of places, but you guys here seemed to be more helpful and knowlegeable about this amazingly intrusive *&^%#$#$%%^ trojan.
Information is more valuable than telling me I'm just screwed. Informed and specific knowlege would be awesome. Ugly or easy, I refuse to carry this ugly thing around. And how safe am I to others??? Is there an easy way to make sure i NEVER SEND THIS TO ANYONE ELSE??
I know...2 long and 2 demanding. Really sorry, but at a loss for the best thing to do. Also happy to reciprocate favors for help : )
undecided, lost, confused; but determined not to be a carrier
Gerry
I don't know If I said it already but ...Great site...keep up the good work. :) I read a lot of blogs on a daily basis and for the most part, people lack substance but, I just wanted to make a quick comment to say I'm glad I found your blog. Thanks, :)
A definite great read..Tony Brown
Marco,
A very interesting post. However, if I have WMP blocked from connecting out (in Online Armor) would this prevent this malware from getting on the PC? ie: would I then be protected.
Ian