Friday, July 18, 2008

Worms are playing a new tune

An InfoWorld article today, New worm transcodes MP3s to try to infect PCs, reports on the appearance of a nasty little worm.

The worm, designated by Kaspersky as "Worm.Win32.GetCodec.a," takes advantage of Microsoft's Advanced Systems Format filetype for audio and video streams. If you play an infected file in that format, it prompts you to download a codec. Instead of the codec, however, you're downloading and installing a Trojan horse, which installs a proxy program that allows hackers to route other traffic through your PC.

Once it takes off, the worm will look for other MP3 files on your system,transcode them to Microsoft's WMA format, wrap them in an ASF container and then add links to more copies of the worm.

Kaspersky says:

Unlike earlier Trojans, which used the WMA format only to mask their presence on the system (i.e., the infected objects were not music files), this worm infects audio files. According to Kaspersky Lab virus analysts, this is the first such case. The likelihood of a successful attack is increased because most users trust their audio files and do not associate them with possible infections. It should be noted that the file on the counterfeit web page is digitally signed by Inter Technologies and is identified by, the resource that issued the digital signature, as trusted.

As Dr. Raymond Stantz would say, "This is a really nasty one!"

No comments: