Windows Media Player DRM Exploit II



I don't know how many of you know about this one.

I have been seeing a rise in a new way to get you infected with malware. It actually isn't
too new. It is almost two years old. However its use is rising and may become more
prevalent in the coming months.

Here's the deal.

I am seeing new Social Engineering posts in the alt.binaries.* News Groups.
Instead of directly attaching malware, these posts are exploiting the Windows Media Player
DRM.

Being posted are WMV files and when you play the WMV files you have to agree to a EULA and
when you click on "Play Now" it will download SETUP.EXE from static.zangocash.com the EXE
is a malware installer for Zango/180Solutions.

The SETUP.EXE file is fairly well recognized such as;
Ewido: Adware.180Solutions and
Kaspersky: not-a-virus:AdWare.Win32.180Solutions.as

The WMVs are not so well recognized but here is a sampling...

AntiVir -- EXP/WMV.A.1 , EXP/WMV.A.2
AVG -- Downloader.Wimad.B
BitDefender -- Trojan.Wimad.A
Ewido -- Downloader.Wimad.h
Fortinet -- W32/WIMAD.C!tr
Ikarus -- Trojan-Downloader.WMA.Wimad.h
Kaspersky -- Trojan-Downloader.WMA.Wimad.h
UNA -- TrojanDownloader.WMA.Wimad.D7FF

Some of these WMVs are too large to submit as their sizes surpass the maximum submission
size set by the anti malware vendors.

{ I originally Cross-Posted this to microsoft.public.security.virus but the News Server
filters blocked the original post. I am reposting this for those who just read the MS News
Server }

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm


.