Thread: New Virus On Limewire
View Single Post
  #5 (permalink)  
Old May 22nd, 2008
BCOOL's Avatar
BCOOL BCOOL is offline
Enthusiast
  
Join Date: March 6th, 2007
Location: Honolulu Hawaii
Posts: 34
BCOOL is flying high
Default
Howz It 90hoursleep,

I'm not sure what you downloaded.Here is a little information on Trojan.Downloader.WMA.Wimad.N.


While accessing the ".wma" which is a media file extension the following behavior is noticed :

1. A browser page opens to a certain webpage ( fastmp3player.com )
2. It tries to download and execute (when the user hits run on IE ) a malware from the mentioned site.......

1. This adware usually disguises itself as an "codec" for viewing or listening to media files. It states that without this product the user can't access the wanted file. A sample of this kind of strategy of spreading is explained here : Trojan.Downloader.WMA.Wimad.N
2. A window pops up while the user tries to access a certain kind of exploited media file with the title "Play Free MP3s" . It has a checkbox to validate the users choice of the products EULA to a company named "Media Holding Enterprises" . The user has the predefined choice ( the checkbox is already checked ) to install another adware : Adware.Mirar.

.................................................. .................................................. .................................................. ..................


This is an disguised application meant to trick the user to download and execute a malware. Usually it states the false incapacity of your software configuration to view this kind of media. Due to the common misconception that malware or viruses are only in executables, the user could be lead to trust this strategy and install without his knowledge the downloaded threat.

The file could be saved with different names of various celebrities, usually events or generally appealing things to users. This makes the malware spread with the help of users.

First , the malware opens a browser window to fastmp3player.com where it gets a file , which is an installer signed with the name Adware.PlayMp3z.A ( a detailed description of this malware here : Adware.PlayMp3z.A ). The downloaded file is saved with the name "PLAY_MP3.exe" .


I hope this helps you or anyone else that runs in to this Trojan
Last edited by BCOOL; May 22nd, 2008 at 01:32 AM.
Reply With Quote