Home / malware Trojan.Wimad.Gen.1
First posted on 21 November 2011.
Source: BitDefenderAliases :
Trojan.Wimad.Gen.1 is also known as WMA/TrojanDownloader.GetCodec.gen, EXP/ASF.GetCodec.Gen, WMA:Wimad, Trojan-Downloader.WMA.GetCodec, Trojan.Wimad.
Explanation :
First let's look at what an ASF is, according to Microsoft : "Advanced Systems Format (ASF) is an extensible file format designed to store coordinated digital media data. It supports data delivery over a wide variety of networks and is also suitable for local playback." You can see the full format specifications from the vendor here : http://www.microsoft.com/windows/windowsmedia/forpros/format/asfspec.aspx
Shortly put, ASF a container that stores data in different encodings (Windows Media Audio (.WMA) and Windows Media Video (.WMV)).
Before defining the detection, let's know more about the file format of ASF, as we'll describe just the road to our vulnerable script function trough-out the headers.
It's devided into three parts (objects):
1. Header Object which may contain, in no particular order, these other ASF objects:
File Properties Object. Contains global file attributes. Stream Properties Object. Defines a digital media stream and its characteristics.
Header Extension Object. Allows additional functionality to be added to an ASF file while maintaining backward compatibility. Content Description Object. Contains bibliographic information. Script Command Object. Contains commands that can be executed on the playback timeline.
2. Data Object - contains digital media data stored into ASF Data Packets of fixed length and sorted in the order of appearance.
3. Other Index objects (which are optional)
It uses GUIDs (Globally Unique Identifier) to point out the start of an ASF object.
Header Object has this GUID -> 75B22630-668E-11CF-A6D9-00AA0062CE6C and it looks like this:
Field name
Field type
Size (bits)
Object ID
GUID
128
Object Size
QWORD
64
Number of Header Objects
DWORD
32
Reserved1
BYTE
8
Reserved2
BYTE
8
The Header Object can have a Script Command Object header (GUID -> 1EFB1A30-0B62-11D0-A39B-00A0C90348F6 ):
Field name
Field type
Size (bits)
Object ID
GUID
128
Object Size
QWORD
64
Reserved
GUID
128
Commands Count
WORD
16
Command Types Count
WORD
16
Command Types
See below
varies
Commands
See below
varies
The Command Type Count announces the number of Command Types. The same is for Commands Count and Commands.
Command Type structure :
Field name
Field type
Size (bits)
Command Type Name Length
WORD
16
Command Type Name
WCHAR
varies
Commands :
Field name
Field type
Size (bits)
Presentation Time
DWORD
32
Type Index
WORD
16
Command Name Length
WORD
16
Command Name
WCHAR
varies
The Command Type Name Length field specifies the number of Unicode characters that are found within the Command Type Name field. The same goes for Command Name Length and Command Name.
The attacked feature is using a specific function for Command Type Name ( URLANDEXIT ) that has as a parameter a malware distribution website in the Command Name field for the function mentioned.
There are numerous examples of such websites : isvbr.net, fastmp3player.com, missing-codecs.net, seonomad.com. For malicious files from these we have detections like : Trojan.Downloader.JLKD, Trojan.Downloader.JKNX, Adware.PlayMP3z etc.
You can disable this kind of behavior by editing the following registry values : HKEY_CURRENT_USERSoftwareMicrosoftMediaPlayerPreferences"URLAndExitCommandsEnabled" = "0"
As you can see from the described scheme here, it's rather simple to build programs that "infect" ASF files and give your media data an unwanted behavior.
Such an example is Trojan.Downloader.GetCodec.BLast update 21 November 2011
