Trojan.Wimad.Gen.1

( WMA/TrojanDownloader.GetCodec.gen trojan, EXP/ASF.GetCodec.Gen, WMA:Wimad, Trojan-Downloader.WMA.GetCodec, Trojan.Wimad )

SYMPTOMS:

When running an ASF file a browser window opens to a specific website that downloads a piece of malicious software.

Here is a screenshot of this behavior in Windows Media Player :

TECHNICAL DESCRIPTION:

First let's look at what an ASF is, according to Microsoft : "Advanced Systems Format (ASF) is an extensible file format designed to store coordinated  digital media data. It supports data delivery over a wide variety of networks and is also suitable for local playback." You can see the full format specifications from the vendor here : http://www.microsoft.com/windows/windowsmedia/forpros/format/asfspec.aspx

Shortly put, ASF a container that stores data in different encodings (Windows Media Audio (.WMA) and Windows Media Video (.WMV)).

 
Before defining the detection, let's know more about the file format of ASF, as we'll describe just the road to our vulnerable script function trough-out the headers.

It's devided into three parts (objects):
1. Header Object which may contain, in no particular order, these other ASF objects:

1. File Properties Object. Contains global file attributes.
2. Stream Properties Object. Defines a digital media stream and its characteristics.
   
3. Header Extension Object. Allows additional functionality to be added to an ASF file while maintaining backward compatibility.
4. Content Description Object. Contains bibliographic information.
5. Script Command Object. Contains commands that can be executed on the playback timeline.

2. Data Object - contains digital media data stored into ASF Data Packets of fixed length and sorted in the order of appearance.
3. Other Index objects (which are optional)

It uses GUIDs (Globally Unique Identifier) to point out the start of an ASF object.

Header Object has this GUID -> 75B22630-668E-11CF-A6D9-00AA0062CE6C and it looks like this:

Field name	Field type	Size (bits)
Object ID	GUID	128
Object Size	QWORD	64
Number of Header Objects	DWORD	32
Reserved1	BYTE	8
Reserved2	BYTE	8

The Header Object can have a Script Command Object header (GUID -> 1EFB1A30-0B62-11D0-A39B-00A0C90348F6 ):

Field name	Field type	Size (bits)
Object ID	GUID	128
Object Size	QWORD	64
Reserved	GUID	128
Commands Count	WORD	16
Command Types Count	WORD	16
Command Types	See below	varies
Commands	See below	varies

The Command Type Count announces the number of Command Types. The same is for Commands Count and Commands.

Command Type structure :

Field name	Field type	Size (bits)
Command Type Name Length	WORD	16
Command Type Name	WCHAR	varies

Commands :

Field name	Field type	Size (bits)
Presentation Time	DWORD	32
Type Index	WORD	16
Command Name Length	WORD	16
Command Name	WCHAR	varies

The Command Type Name Length field specifies the number of Unicode characters that are found within the Command Type Name field. The same goes for Command Name Length and  Command Name.

The attacked feature is using a specific function for Command Type Name ( URLANDEXIT ) that has as a parameter a  malware distribution website in the Command Name field for the function mentioned.
There are numerous examples of such websites : isvbr.net, fastmp3player.com, missing-codecs.net, seonomad.com. For malicious files from these we have detections like : Trojan.Downloader.JLKD, Trojan.Downloader.JKNX, Adware.PlayMP3z etc.

You can disable this kind of behavior by editing the following registry values : HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences\"URLAndExitCommandsEnabled" = "0"

As you can see from the described scheme here, it's rather simple to build programs that "infect" ASF files and give your media data an unwanted behavior. 
Such an example is Trojan.Downloader.GetCodec.B 

Removal instructions:

Set the following registry value to : HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences\"URLAndExitCommandsEnabled" = "0"
Please let BitDefender disinfect your files.

ANALYZED BY:

Daniel Chipiristeanu, virus researcher