Home / malwarePDF  

Trojan:Win32/Fakemedia.A


First posted on 30 June 2009.
Source: SecurityHome

Aliases :

Trojan:Win32/Fakemedia.A is also known as Also Known As:Win-Trojan/Fakealert.12288.F (AhnLab), Win32/TrojanDownloader.FakeAlert.ACS (ESET), not-a-virus:FraudTool.Win32.MediaCodec (Kaspersky), Generic PUP.x!k (McAfee), Troj/Fakevir-MP (Sophos), Fraudtool.MediaCodec.A (VirusBuster).

Explanation :

Trojan:Win32/Fakemedia.A is a trojan that displays a message suggesting the computer requires a codec to play certain media files while at the same time launching a Web browser to a site claiming to sell codec software.

Symptoms
System ChangesThe following system changes may indicate the presence of this malware:

  • The presence of the following files:
    %TEMP%mediacodec.exe
  • The presence of the following registry modifications:
    Value: "mediacodec.exe"
    • With data: "%TEMP%mediacodec.exe"In subkey: HKCUSoftwareMicrosoftWindowsCurrentVersionRun

    Trojan:Win32/Fakemedia.A is a trojan that displays a message suggesting the computer requires a codec to play certain media files while at the same time launching a Web browser to a site claiming to sell codec software.

    Installation
    When run, this trojan copies itself as '%TEMP%mediacodec.exe'. The registry is modified to run the dropped copy at each Windows start. Adds value: "mediacodec.exe"With data: "%TEMP%mediacodec.exe"To subkey: HKCUSoftwareMicrosoftWindowsCurrentVersionRun The dropped copy is then launched.

    Payload
    Terminates Windows Media PlayerTrojan:Win32/Fakemedia.A searches running processes for 'wmplayer.exe' (Windows Media Player). If Windows Media Player is found, the trojan closes the application and displays a message window with the following text: "Windows can't play the following media formats: AVI;WMV;AVS;FLV;MKV;MOV;3GP;MP4;MPG;MPEG;MP3;AAC;WAV;WMA;CDA;FLAC;M4A;MID.
    Update your video and sound codec to resolve the issue." The trojan then launches a Web browser to the site 'vscodec-pro.com' to display a site claiming to sell codec software. The trojan may create an icon in the system tray that displays a message with the following content: "Fatal Error! The media system on your computer is corrupt. Update your sound and video codec immediately to resolve this issue." Additional InformationThe trojan makes the following additional registry modification: Adds value: "8636065b-fef0-4255-b14f-54639f7900a4"With data: "8636065b-fef0-4255-b14f-54639f7900a4"To subkey: HKCUSoftware

    Analysis by Tim Liu

    Last update 30 June 2009

     

    TOP

    Malware :

    Family: