My Bitdefender
  • 0 Shopping Cart


Facebook Twitter Google Plus


aprox 5 MB


While accessing the ".wma" which is a media file extension the following behavior is noticed :
  1. A browser page opens to a certain webpage ( )
  2. It tries to download and execute (when the user hits run on IE ) a piece of malware from the mentioned site.
  3. The prompted file to download is named "Codec.exe" which has the Windows Media Player  icon (the name could vary ("PLAY_MP3.exe" or another).

Take notice that the file could have any other extension that Windows Media Player can handle such as ".asf", ".wmw" , ".aiff", ".midi" or others.

Here is a screenshot of the malware in action.

Removal instructions:

Usually, the file is unusable and should be deleted from your computer.
Please let BitDefender disinfect your files.

Analyzed By

Daniel Chipiristeanu, virus researcher

Technical Description:

This is another copy of the Trojan.Downloader.WMA.Wimad . It behaves in a similar way and even downloads from the same webpage ( ) which means that its authors have been exploiting it for a long time with no modifications of the attack scheme.

This is a disguised application under a common media file extension meant to trick the user to download and execute a piece of malware. It usually takes advantage of the false incapacity of your software configuration to view this kind of media. Because of the common misconception that malware or viruses are found only in executables, the user could be lead to trust this strategy and install without their knowledge the downloaded threat.

Basically the user runs the file in Windows Media Player  and gets a browser window that prompts him to download a file named "PLAY_MP3.exe" .

This is actually an exploit of the media files because its an available feature instead of an attack to the format.

Since it is unable to replicate by itself (it neither infects files, nor copies itself to different locations on a network or local clones of the file ), the piece of malware relies on the local user as a vector of infection (user-based or web-based replication) -  the file appears in different locations on the internet as a download: through sharing or media downloads or spam. Therefore,  the file could be saved with different names of various celebrities, usually events or generally user-appealing information.