GetCodec.A says hello to multimedia files
Posted by: Marco Giuliani
Some days ago online media reported some spare news about a new malware that could infect multimedia files, without writing any technical details. Let's see something more in detail.
This malware, that some security companies decided to detect as worm while in my opinion it should be detected as a trojan, has been called Trojan.GetCodec.A and it makes use of a singular infection technique.
This trojan, after it gets executed, enumerates all files inside the system looking for those files that have .MP2 .MP3 .WMA .WMV .ASF extensions. If a file with this criteria is found, then the malware checks if it's already infected or not by analyzing its ASF header looking for a specific script.
Windows Media is using the Advanced Systems Format (ASF) as a multimedia format. That is in plain words a special format that can contains audio and video streams together with other informations like executable scripts or metadata. All these informations are then processed by Windows Media Player.
This trojan alters the header of an .ASF file - .WMA and .WMV files are already coded in the .ASF format - by adding a special script that makes Windows Media Player to connect to a specific website and download another malware disguised as a fake codec needed to play the multimedia file.
If the trojan finds a file with .MP3 or .MP2 extension then it converts them to a .ASF format. After it converted the target multimedia file and left the extension and file name as the original one, the downloader script is added to the header of the .ASF file just created.
The script added by the trojan utilizes URLANDEXIT command to makes Windows Media Player connect to a website and download the fake codec. Microsoft allows to disable this command by changing the value URLAndExitCommandsEnabled to 0 (it's 1 by default) under:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\MediaPlayer\Preferences.
This infection technique is quite interesting if you think about Peer2Peer. Millions of MP3 files are shared everyday and millions of users use Windows Media Player to listen music. This trojan can potentially starts a new trend of infections that attack multimedia files. Until now audio and video files have been relatively harmless, except malformed files that exploit some player bug or fake .ASF files that contain only a link to a malware website without having any audio stream inside.
Anyway, a mass infection like the one followed by this trojan could potentially start a widespread and dangerous new trend.
At the present user's interaction is needed to get the fake codec fully working, but no one can exclude something worse in the near future.
4 comments so far
- Marco on 21/07/2008 18:28:00
- Rafael Mercado on 22/07/2008 20:32:36
That's not Windows Media Player by itself that downloads the malware. The embedded script instructs Windows Media Player to open your browser and download malware from there.
Marco
Marco, I'm Rafael Mercado, from Mexico. I just got this trojan (even do symantec calls it "Trojan.Brisv.A") and seems that you could have a better idea of how to remove it. I tried to follow the instructions from Symantec but they are confuse to me (specifically I don't understand what should be the "previous" values of the registry entries to be restored).
I had several hundreds of mp3 files in my computer and I don't know how to check how many of them are infected, and if so, if I have to manually delete all of them in order to get the virus off of my computer.
I also read in a blog that there is a program (FS_MP3Fix.zip) that supposely fix the infected mp3 files but I.m not sure if it really works in this case. Maybe you can take a look on it and verify how useful is this program. I'll appreciate your help. Thanks in advance.
Marco,
A very interesting post. However, if I have WMP blocked from connecting out (in Online Armor) would this prevent this malware from getting on the PC? ie: would I then be protected.
Ian