Trojan:Win32/Gecedoc.A is a trojan that alters audio files by converting them to Windows Media Audio (.WMA) format and inserting a link to additional malicious content.
When executed, Trojan:Win32/Gecedoc.A may modify the following registry entries:
Adds value: "prot"
With data: "c:\documents and settings\all users\documents\my music\."
To subkey: HKCU\SOFTWARE\Microsoft\PIMSRV
Modifies value: "URLAndExitCommandsEnabled"
With data: "0"
To subkey: HKCU\Software\Microsoft\MediaPlayer\Preferences
Modifies value: "Permissions"
With data: "!"
To subkey: HKCU\Software\Microsoft\MediaPlayer\Player\Extensions\.mp3
This trojan does not execute at next Windows start automatically.
Modifies Audio Files
Win32/Gecedoc searches through all files on the local system that have the file extensions .MP3, .MP2, .WMV or .WMA. The trojan attempts to convert each located file to Windows Media Audio (WMA) format, but leaves the file extension unchanged.
When an unmodified WMA format file is found, the trojan parses the file header, looking for a specific script. The trojan may alter the script by adding a link to malicious site hosting malware.
When a WMA format file containing the inserted malicious Web site URL is opened, the link in the script is opened automatically upon rendering the file in Windows Media Player. The Web browser Internet Explorer attempts to connect to the malicious site and a "File Download" dialogue box may be displayed, such as the following:
At the time of this writing, the malicious file was detected as "Trojan:Win32/Nebuler.gen!D".
Analysis by Vitaly Zaytsev