Home / malwarePDF  

TrojanDownloader:ASX/Wimad


First posted on 15 February 2019.
Source: Microsoft

Aliases :

There are no other names known for TrojanDownloader:ASX/Wimad.

Explanation :

TrojanDownloader:ASX/Wimad is a family of malicious URL script commands found in Advance Systems Format (ASF), a file format used by Windows Media, that downloads arbitrary files.

Attack overview

In July 2008, we observed that Trojan:Win32/Gecedoc.A was capable of altering media files with the following extensions:

.asf .mp2 .mp3 .wma .wmv

The attack on media files specifically targets Advanced Systems Format's (ASF) legitimate file feature by taking advantage of the Script Command through ASF _ Script _ Command_Object defined in the ASF Header. This threat alters the media file to enable Windows Media Player to handle a malicious URL script command embedded in a stream. Thus, when the altered ASF file is played, the malicious URL is interpreted and the media player responds to the script command.

TrojanDownloader:ASX/Wimad is a detection for malicious URL script command found in altered media files.

Installation

Some variants of Wimad may arrive as an infected file; for example, infected MP3 and ASF files may be downloaded or shared through P2P file sharing networks.

Files may be infected by Trojan:Win32/Gecedoc.A; files infected by this threat are detected as Wimad. Gecedoc then searches your hard drive for clean media files with the following extensions:

.asf .mp2 .mp3 .wma .wmv

If found, the malware alters the file to run a malicious URL script command.

Payload

Downloads arbitrary files  

TrojanDownloader:ASX/Wimad may download arbitrary files, and employ social engineering techniques to assist the malware's execution (see the description for TrojanClicker:ASX/Wimad.CX for details of how social engineering may be used). The following servers have been observed to be contacted for these purposes:

10yearsmusic.com 193.138.172.14 216.93.188.81 68.178.225.162 85.17.138.60 85.17.93.189 ad.winadclient.com adult.pornparks.com americansexonline.com calyeung.com coolpixhost.biz cxgr.com dabao1.cn darixo.com drm.ysbweb.com e-mirrorsite.com fastmp3player.com flashupd.com free.f2player.com freeaudiocodecs.com friskypotato.com funsiteshere.com go.galaplayer.com goodtimesplayer.com goodtimesplayer.com hasvideo.net hotstuffbox.com installation1.radmp3player.com isvbr.net license.mediapassonline.com lost.to/in.cgi?8 media.downloadmediacentral.com media.licenseacquisition.org mediaprovider.info microsoftmedicenter.com minisites.mypengo.com missing-codecs.com mp.profittrol.com mp3codec.info mp3codecdownload.com mpegcodecupdate.com msdomains.org myfirstsexteacher.com network.adsmarket.com nms.whenu.com now.divocodec.com peertracking.com pinballpublishernetwork.com playmoviesx.com playstream.searchasong.net pluginprovider.com primeroute.net profittable.com purefunland.com radarixo.com realcodec.com realsexsites.com redirsystem32.com remarkablesongslive.com remarkablesongslive.com sameshitasiteverwas.com selectusers.com sexnyu.com sexygirlsluts.com sharebuddy.ourtoolbar.com somegreatsongs.com spweb.whenu.com surf.to/mp3galaxy tpbtrack.com tvcodec.net upgradecodec.cinedump.com uwww.exitforcash.com vidareal2010.pisem.su vidscentral.net winbutler.com winmediapackage.com wonderfultracks.com

In the wild, we have observed the following files being loaded onto a users computer following successful exploitation of one of the aforementioned social engineering techniques:

access.exe asf_codec.exe Codec.exe codec_update2.7.exe mp3_codec_update.exe mp3codec.exe PLAY.exe Play_mp3.exe SecureInstall_LOFS020701Inst.exe security-update-KB964085.exe setupe.exe Windows_Media_Player_Flash_Codec_Plugin.exe windows_media_update.exe

Downloads malicious and unwanted programs

In the wild, we have observed variants of TrojanDownloader:ASX/Wimad downloading the following malicious and unwanted programs:

Adware:Win32/Hotbar Adware:Win32/MegaSwell Adware:Win32/Mirar Adware:Win32/Playmp3z Adware:Win32/WindUpdates Backdoor:Win32/Lukicsel.A Exploit:JS/MS09002.C Trojan:Win32/BHO.LO Trojan:Win32/FakeXPA BrowserModifier:Win32/Tango Trojan:Win32/Lefimy.B Trojan:Win32/Nebuler.gen!D Trojan:Win32/VB.IP Trojan:Win32/Vundo.gen!AN Trojan:Win32/Vundo.gen!AU TrojanDownloader:Win32/Matcash.B TrojanDownloader:Win32/Renos.HL TrojanDownloader:Win32/Small.gen!F TrojanDownloader:Win32/Swizzor.gen!L TrojanDownloader:Win32/Tonick.gen!B TrojanDownloader:Win32/Tracur.A Win32/Agent Win32/VB.XVB  

Redirects web browser

Variants of TrojanDownloader:ASX/Wimad may redirect the affected user's web browser to the following:

Phishing websites Adult content websites Advertisements Additional information

The Advanced Systems Format (ASF) is the file format used by Windows Media. Audio and/or video content compressed with a wide variety of codecs can be stored in an ASF file and played back with the Windows Media Player (provided the appropriate codecs are installed), streamed with Windows Media Services or optionally packaged with Windows Media Rights Manager.For more information, refer to the Advanced Systems Format (ASF) specification here: http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=14995

Further reading "Recession, Music, and Wimad"  http://blogs.technet.com/b/mmpc/archive/2009/05/15/recession-music-and-wimad.aspx ASX/Wimad, a detection for a category of malicious Windows Media® files, was the eleventh most prevalent
threat in 2H08. Microsoft Security Intelligence Report Volume 6: July - December 2008 http://www.microsoft.com/security/sir/archive/default.aspx ASX/Wimad, the sixteenth malware family detected by Microsoft anti-malware desktop products worldwide, by number of unique infected computers in 1H09. Microsoft Security Intelligence Report Volume 7: January - June 2009 http://www.microsoft.com/security/sir/archive/default.aspx ASX/Wimad, the twelfth-most commonly detected threat in 2H09. Microsoft Security Intelligence Report Volume 8: July - December 2009 http://www.microsoft.com/security/sir/archive/default.aspx

Analysis by Methusela Cebrian Ferrer

Last update 15 February 2019

 

TOP