Home / malwarePDF  

ASX/Wimad


First posted on 16 November 2012.
Source: Microsoft

Aliases :

There are no other names known for ASX/Wimad.

Explanation :



ASX/Wimad is a family of malicious URL script commands found in Advance Systems Format (ASF), a file format used by Windows Media Player and other media players, that downloads arbitrary files.

Attack overview

In July 2008, we observed that Trojan:Win32/Gecedoc.A was capable of altering media files with the following extensions:

  • .asf
  • .mp2
  • .mp3
  • .wma
  • .wmv


The attack on media files specifically targets Advanced Systems Format's (ASF) legitimate file feature by taking advantage of the Script Command through ASF _ Script _ Command_Object defined in the ASF Header. This threat alters the media file to enable Windows Media Player to handle a malicious URL script command embedded in a stream. Thus, when the altered ASF file is played, the malicious URL is interpreted and the media player responds to the script command.

ASX/Wimad is a detection for malicious URL script command found in altered media files.

Files detected as ASX/Wimad are also found in peer-to-peer (P2P) file sharing networks and £IRC$ channels.



Installation

Some variants of Wimad may arrive as an infected file; for example, infected MP3 and ASF files may be downloaded or shared through P2P file sharing networks.

Files may be infected by Trojan:Win32/Gecedoc.A; files infected by this threat are detected as Wimad. Gecedoc then searches your hard drive for clean media files with the following extensions:

  • .asf
  • .mp2
  • .mp3
  • .wma
  • .wmv


If found, the malware alters the file to run a malicious URL script command.



Payload

Downloads arbitrary files

ASX/Wimad may download arbitrary files, and employ social engineering techniques to assist the malware's execution (see the description for TrojanClicker:ASX/Wimad.CX for details of how social engineering may be used). We've observed Wimad connecting to these websites for that purpose:

  • 10yearsmusic.com
  • 193.138.172.14
  • 216.93.188.81
  • 68.178.225.162
  • 85.17.138.60
  • 85.17.93.189
  • ad.winadclient.com
  • adult.pornparks.com
  • americansexonline.com
  • calyeung.com
  • completely-free-movies.info
  • coolpixhost.biz
  • coralplayer.com
  • cxgr.com
  • dabao1.cn
  • darixo.com
  • download.pjplayer.com
  • drm.ysbweb.com
  • e-mirrorsite.com
  • fastmp3player.com
  • fetch.pjplayer.com
  • find.eeredi.info
  • find.mreed.info
  • find.x3codec.info
  • flashupd.com
  • flashupd.com
  • freaktorrents.info
  • free.f2player.com
  • freeaudiocodecs.com
  • friskypotato.com
  • funsiteshere.com
  • get.pjplayer.com
  • getsuperstuff.com
  • go.eeredi.info
  • go.emmigo.in
  • go.galaplayer.com
  • go.mreed.info
  • goodtimesplayer.com
  • hasvideo.net
  • hotstuffbox.com
  • hotstuffbox.com
  • install-finder.com
  • installation1.radmp3player.com
  • isvbr.net
  • license.mediapassonline.com
  • lost.to/in.cgi?8
  • media.downloadmediacentral.com
  • media.licenseacquisition.org
  • media.tfeed.info
  • mediaprovider.info
  • mediastop.zigg.me
  • mediazone.uni.me
  • microsoftmedicenter.com
  • minisites.mypengo.com
  • missing-codecs.com
  • movie.blogdns.org
  • mp.profittrol.com
  • mp3.eeredi.info
  • mp3.mreed.info
  • mp3.x3codec.info
  • mp3codec.info
  • mp3codecdownload.com
  • mpegcodecupdate.com
  • msdomains.org
  • myfirstsexteacher.com
  • network.adsmarket.com
  • nms.whenu.com
  • now.divocodec.com
  • peertracking.com
  • pinballpublishernetwork.com
  • play.pjplayer.com
  • player.tfeed.info
  • playmoviesx.com
  • playsong.mediasongplayer.com
  • playstream.searchasong.net
  • plugin-install.info
  • plugin-installer.com
  • plugin-installer.info
  • pluginprovider.com
  • primeroute.net
  • profittable.com
  • purefunland.com
  • radarixo.com
  • real.pjplayer.com
  • realcodec.com
  • realcodec.com
  • realsexsites.com
  • redirsystem32.com
  • remarkablesongslive.com
  • sameshitasiteverwas.com
  • sameshitasiteverwas.com
  • selectusers.com
  • sexnyu.com
  • sexygirlsluts.com
  • sharebuddy.ourtoolbar.com
  • somegreatsongs.com
  • spweb.whenu.com
  • surf.to/mp3galaxy
  • take.eeredi.info
  • take.mreed.info
  • take.x3codec.info
  • tpbtrack.com
  • tvcodec.net
  • upgradecodec.cinedump.com
  • uwww.exitforcash.com
  • vidareal2010.pisem.su
  • vidscentral.net
  • winbutler.com
  • winmediapackage.com
  • wonderfultracks.com
  • www.22teens.com
  • www.fastmp3player.com
  • www.mp3codec.info
  • www.peertracking.com
  • www.protectedmedia.com
  • www.remarkablesongslive.com
  • x3redir.mooo.com


In the wild , we have observed the following files run in a computer when it is successfully infected using any of the social engineering techniques:

  • access.exe
  • asf_codec.exe
  • Codec.exe
  • codec_update2.7.exe
  • mp3_codec_update.exe
  • mp3codec.exe
  • PLAY.exe
  • Play_mp3.exe
  • SecureInstall_LOFS020701Inst.exe
  • security-update-KB964085.exe
  • setupe.exe
  • Windows_Media_Player_Flash_Codec_Plugin.exe
  • windows_media_update.exe


Wimad also uses file names with popular cultural references:

  • 07. Dance Again - Jennifer Lopez Pitbull.mp3
  • 17 Back In Time - Pitbull.mp3
  • Abrazame - Camila.mp3
  • Antigo Funk - Stevie B - Spring Love.mp3
  • Good Feeling - Flo Rida.mp3
  • Got 2 Luv U - Sean Paul Alexis Jordan.mp3
  • Somebody That I Used To Know - Gotye Kimbra.mp3
  • Tito El Bambino - Te Comence A Querer(1).mp3
  • We Found Love - Rihanna Calvin Harris (2011 DVD)(3).mp3


Downloads malicious and potentially unwanted programs

In the wild, we have observed variants of ASX/Wimad downloading the following malicious and potentially unwanted programs:

  • Adware:Win32/Hotbar
  • Adware:Win32/MegaSwell
  • Adware:Win32/Mirar
  • Adware:Win32/Playmp3z
  • Adware:Win32/WindUpdates
  • Backdoor:Win32/Lukicsel.A
  • Exploit:JS/MS09002.C
  • Trojan:Win32/BHO.LO
  • Trojan:Win32/FakeXPA
  • BrowserModifier:Win32/Tango
  • Trojan:Win32/Lefimy.B
  • Trojan:Win32/Nebuler.gen!D
  • Trojan:Win32/VB.IP
  • Trojan:Win32/Vundo.gen!AN
  • Trojan:Win32/Vundo.gen!AU
  • TrojanDownloader:Win32/Matcash.B
  • TrojanDownloader:Win32/Renos.HL
  • TrojanDownloader:Win32/Small.gen!F
  • TrojanDownloader:Win32/Swizzor.gen!L
  • TrojanDownloader:Win32/Tonick.gen!B
  • TrojanDownloader:Win32/Tracur.A
  • Win32/Agent
  • Win32/VB.XVB


Redirects web browser

Variants of ASX/Wimad may redirect your web browser to the following:

  • Phishing websites
  • Adult content websites
  • Advertisements
  • Download websites, such as the following:





Additional technical information

The Advanced Systems Format (ASF) is the file format used by Windows Media. Audio and/or video content compressed with a wide variety of codecs can be stored in an ASF file and played back with the Windows Media Player (provided the appropriate codecs are installed), streamed with Windows Media Services or optionally packaged with Windows Media Rights Manager.For more information, refer to the Advanced Systems Format (ASF) specification here: http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=14995

Files detected as ASX/Wimad contain a script command that instructs the default video player to open a URL in the browser. Examples of players supporting this feature include, but are not limited to:

  • FFmpeg
  • Flip4Mac
  • MPlayer
  • RealPlayer
  • Windows Media Player
  • Zune


It has been observed to use the following methods to open the URL (in order of observed prevalence in the wild:

  1. Use a script command (such as "URLANDEXIT") in the file header
  2. Use a Digital Rights Management (DRM) header to specify a malicious URL using the DRM license acquisition URL (DRMHeader.LAINFO)
  3. Use a script command supported by Windows Media Player
Further reading
  • "Recession, Music, and Wimad" http://blogs.technet.com/b/mmpc/archive/2009/05/15/recession-music-and-wimad.aspx
  • ASX/Wimad , a detection for a category of malicious Windows Media® files, was the eleventh most prevalent
    threat in 2H08. Microsoft Security Intelligence Report Volume 6: July - December 2008 http://www.microsoft.com/security/sir/archive/default.aspx
  • ASX/Wimad , the sixteenth malware family detected by Microsoft anti-malware desktop products worldwide, by number of unique infected computers in 1H09. Microsoft Security Intelligence Report Volume 7: January - June 2009 http://www.microsoft.com/security/sir/archive/default.aspx
  • ASX/Wimad , the twelfth-most commonly detected threat in 2H09. Microsoft Security Intelligence Report Volume 8: July - December 2009 http://www.microsoft.com/security/sir/archive/default.aspx
  • ASX/Wimad , the eigth-most commonly detected threat in 2Q12. Microsoft Security Intelligence Report Volume 13: January - June 2012 http://www.microsoft.com/security/sir/archive/default.aspx




Analysis by Methusela Cebrian Ferrer and Patrik Vicol

Last update 16 November 2012

 

TOP