Windows Media Player DRM Exploit II



I don't know how many of you know about this one.

I have been seeing a rise in a new way to get you infected with malware. It actually isn't
too new. It is almost two years old. However its use is rising and may become more
prevalent in the coming months.

Here's the deal.

I am seeing new Social Engineering posts in the alt.binaries.* News Groups.
Instead of directly attaching malware, these posts are exploiting the Windows Media Player
DRM.

Being posted are WMV files and when you play the WMV files you have to agree to a EULA and
when you click on "Play Now" it will download SETUP.EXE from static.zangocash.com the EXE
is a malware installer for Zango/180Solutions.

The SETUP.EXE file is fairly well recognized such as;
Ewido: Adware.180Solutions and
Kaspersky: not-a-virus:AdWare.Win32.180Solutions.as

The WMVs are not so well recognized but here is a sampling...

AntiVir -- EXP/WMV.A.1 , EXP/WMV.A.2
AVG -- Downloader.Wimad.B
BitDefender -- Trojan.Wimad.A
Ewido -- Downloader.Wimad.h
Fortinet -- W32/WIMAD.C!tr
Ikarus -- Trojan-Downloader.WMA.Wimad.h
Kaspersky -- Trojan-Downloader.WMA.Wimad.h
UNA -- TrojanDownloader.WMA.Wimad.D7FF

Some of these WMVs are too large to submit as their sizes surpass the maximum submission
size set by the anti malware vendors.

{ I originally Cross-Posted this to microsoft.public.security.virus but the News Server
filters blocked the original post. I am reposting this for those who just read the MS News
Server }

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm


.



Relevant Pages

  • Re: No subject
    ... worthwhile following all the rants. ... FWIW, "Use my Remove-it software, it will remove that malware from ... of what goes in a Host file without ever documenting their reasons for ... I can find lots of posts where my own program BugHunter ...
    (alt.comp.anti-virus)
  • Re: Memories of BoaterDave from 2006
    ... the never ending battle against malware and their ne’er do well authors. ... Dave section members are highly compensated. ... Future unauthorized posts as follows will render ...
    (alt.computer.security)
  • Re: Damn Im Good!
    ... What leads you to conclude that I'm jumping on a bandwagon? ... Windows security. ... They would realize how foolish such posts are. ... malware is so successful on Windows. ...
    (comp.sys.mac.advocacy)
  • Re: Damn Im Good!
    ... Snit wrote: ... They would realize how foolish such posts are. ... have as they continue to make posts about Windows security. ... malware is so successful on Windows. ...
    (comp.sys.mac.advocacy)
  • Re: Computer stuff, possible help
    ... Mostly Rougeware (malware trying to pass itself off as legit ... Couple more posts and the original poster came back saying all ... and weeks reporting the same problems and Malwarebytes software was the ... same co. offers up a small app called Startlite that goes into your ...
    (rec.outdoors.rv-travel)