Home / malwarePDF  


First posted on 21 November 2011.
Source: BitDefender

Aliases :

There are no other names known for Trojan.Downloader.WMA.Wimad.Z.

Explanation :

This is another copy of the Trojan.Downloader.Wimad.A . It behaves in a similar way and even downloads from the same webpage ( hxxp://missing-codecs.net ) which means that its authors have been exploiting it for a long time with no modifications of the attack scheme.

This is a disguised application under a common media file extension meant to trick the user to download and execute a piece of malware. It usually takes advantage of the false incapacity of your software configuration to view this kind of media. Because of the common misconception that malware or viruses are found only in executables, the user could be lead to trust this strategy and install without their knowledge the downloaded threat.

Basically the user runs the file in Windows Media Player and gets a browser window that prompts him to download a file named "Codec.exe" .

This is actually an exploit of the media files because its an available feature instead of an attack to the format.

Since it is unable to replicate by itself (it neither infects files, nor copies itself to different locations on a network or local clones of the file ), the piece of malware relies on the local user as a vector of infection (user-based or web-based replication) - the file appears in different locations on the internet as a download: through sharing or media downloads or spam. Therefore, the file could be saved with different names of various celebrities, usually events or generally user-appealing information.

* modifications have been made to the url ( http -> hxxp )

Last update 21 November 2011