Kaspersky Lab reports the detection of a worm that infects audio files
Kaspersky Lab, a leading manufacturer of anti-malware and unwanted software, hacker attacks and spam, announces the detection of a malicious program that infects WMA audio files. The goal of the infection is to download a Trojan program that allows an attacker to establish control over the user's computer.
The worm, named Worm.Win32.GetCodec.a, converts mp3 files to WMA format (while preserving the mp3 extension) and adds a marker containing a link to an infected web page to them. Activation of the marker is performed automatically while listening to the file and causes Internet Explorer to launch, which goes to the infected page, where the user is prompted to download and install a file issued for the codec. If the user agrees to the installation, then the Trojan program Trojan-Proxy.Win32.Agent.arp is downloaded to his computer, with which the attacker can gain control over the attacked PC.
Prior to this, WMA format was used by Trojans only as a disguise, that is, the infected object was not a music file. The peculiarity of this worm is that it infects clean audio files, which, according to virus analysts at Kaspersky Lab, is the first case of this kind and increases the likelihood of a successful attack, since users usually trust their own media files and do not associate them with the danger of infection.
')
It should be noted that the file, which is located on a fake page, has an electronic digital signature of the company Inter Technologies and is determined by the issuing EDS resource www.usertrust.com as trusted.
Immediately after detecting the Worm.Win32.GetCodec.a worm, its signatures were added to Kaspersky Lab's anti-virus databases.
A source
The worm, named Worm.Win32.GetCodec.a, converts mp3 files to WMA format (while preserving the mp3 extension) and adds a marker containing a link to an infected web page to them. Activation of the marker is performed automatically while listening to the file and causes Internet Explorer to launch, which goes to the infected page, where the user is prompted to download and install a file issued for the codec. If the user agrees to the installation, then the Trojan program Trojan-Proxy.Win32.Agent.arp is downloaded to his computer, with which the attacker can gain control over the attacked PC.
Prior to this, WMA format was used by Trojans only as a disguise, that is, the infected object was not a music file. The peculiarity of this worm is that it infects clean audio files, which, according to virus analysts at Kaspersky Lab, is the first case of this kind and increases the likelihood of a successful attack, since users usually trust their own media files and do not associate them with the danger of infection.
')
It should be noted that the file, which is located on a fake page, has an electronic digital signature of the company Inter Technologies and is determined by the issuing EDS resource www.usertrust.com as trusted.
Immediately after detecting the Worm.Win32.GetCodec.a worm, its signatures were added to Kaspersky Lab's anti-virus databases.
A source
Source: https://habr.com/ru/post/29712/
All Articles