Network News

X My Profile
View More Activity

Consider the Source, Not Just the File Type

An uptick in malware that infects music files being traded on popular peer-to-peer (P2P) file-sharing networks should give Windows users pause about downloading songs from unknown sources.

Symantec is reporting a spike in the number of audio files infected with what it calls Trojan.Brisv.A (detected as Worm.Win32.GetCodec.a by other antivirus vendors). The malicious software resides in otherwise innocuous-looking music Windows Media Audio (.wma) files that, when opened, changes all .mp3 and .mp3 files on a host system to Windows Media Audio (.wma) format.

Audio files altered by the Trojan won't lose their .mp2 or .mp3 file extensions. Rather, the Trojan embeds in each converted media file a placeholder, so that when a victim tries to listen to it, the song is opened up in Windows Media Player. At that point, the victim is prompted to download an audio codec in order to continue playback. If the victim installs the codec, the Trojan installs a program that gives the authors control over the user's system.

Symantec said the fake codec installs software that prompts people to purchase rogue anti-virus software, also know as "scareware," which uses fake security alerts to frighten consumers into paying for bogus computer security programs.

While the Trojan was first spotted last summer, Symantec says it has seen a recent uptick in the number of detections on this malware. The company is estimating that between 200,000 to 1.6 million people have downloaded audio files infected with the malware.

Kevin Haley, director of Symantec Security Response, said the Trojan appears to have been created with a so-called "binder," one of several hacker tools freely available that can bundle executable files in with more innocuous-seeming file types, such as text and image files.

"This is a good opportunity to remind users that it's not just .exes [executable files] that can be dangerous to download and run," Haley said.

If you were unfortunate enough to have wrecked your music collection after downloading an audio file infected with this Trojan, you can use Symantec's free fix-it tool, which should remove the Trojan from any affected files.

By Brian Krebs  |  February 6, 2009; 4:52 PM ET
Categories:  Fraud , From the Bunker , Latest Warnings , Safety Tips , Web Fraud 2.0  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   StumbleUpon   Technorati   Google Buzz   Previous: Quick Poll: Many Smaller Banks Hit By Heartland Breach
Next: Covering Your Tracks in Firefox


I am shocked to hear that free and potentially pirated content from unknown sources contains a malicious payload. And I am even more shocked that people will grab files from unknown sources, load them onto their computers and not expect any trouble in these times of rampant malware distribution. Truly.

And the sarcasm meter next to my computer just hit 101%, cracking the glass cover.

Brian, as always, thank you for sharing info on recent exploits and the means by which they can be repaired or patched. These tips are practical and applicable across a wide segement of the population.

Posted by: CB12 | February 9, 2009 1:16 PM | Report abuse

Thank you CB12. It's great to have a laugh every day. So where do I get one of those sarcasm meters - is that freeware?

Posted by: kiwi13 | February 10, 2009 9:02 PM | Report abuse

[i]200,000 to 1.6 million[/i]

That's quite a spread. Symantec must not have any real clue as to the real number, and decided to pull some meaningless numbers out of the air.

Posted by: ronljohnson | February 12, 2009 9:51 PM | Report abuse

The comments to this entry are closed.

RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company