Kaspersky Lab reports new worm that infects audio files

16 Jul 2008
Virus News

Kaspersky Lab, a leading developer of secure content management systems, reports the detection of a malicious program that infects WMA audio files. The objective of the infection is to install a Trojan that gives a cybercriminal control of the user’s computer.

The worm, which was named Worm.Win32.GetCodec.a, converts mp3 files to the Windows Media Audio (WMA) format (without changing the .mp3 extension) and adds a marker with a link to an infected web page to the converted files. The marker is activated automatically during file playback. It opens an infected page in Internet Explorer where the user is asked to download and install a file which, according to the website, is a codec. If the user agrees to install the file, a Trojan known as Trojan-Proxy.Win32.Agent.arp is downloaded to the computer, giving cybercriminals control of the victim PC.

Unlike earlier Trojans, which used the WMA format only to mask their presence on the system (i.e., the infected objects were not music files), this worm infects audio files. According to Kaspersky Lab virus analysts, this is the first such case. The likelihood of a successful attack is increased because most users trust their audio files and do not associate them with possible infections. It should be noted that the file on the counterfeit web page is digitally signed by Inter Technologies and is identified by www.usertrust.com, the resource that issued the digital signature, as trusted.

Immediately after Worm.Win32.GetCodec.a was detected, its signatures were added to Kaspersky Lab’s antivirus databases.

About Kaspersky Lab

Kaspersky Lab delivers the world’s most immediate protection against IT security threats, including viruses, spyware, crimeware, hackers, phishing, and spam. Kaspersky Lab products provide superior detection rates and the industry’s fastest outbreak response time for home users, SMBs, large enterprises and the mobile computing environment. Kaspersky® technology is also used worldwide inside the products and services of the industry’s leading IT security solution providers. For more information, visit www.kaspersky.com. For the latest malware news, go to www.viruslist.com.