TrojanDownloader:ASX/Wimad.T

TrojanDownloader:ASX/Wimad is a detection for malicious Windows media files that are used in order to encourage users to download and execute arbitrary files on an affected machine. When opened with Windows Media Player, these malicious files open a particular URL in a web browser. 

 

TrojanDownloader:ASX/Wimad.T is a malicious Advanced Streaming Format (ASF) file, which when opened by Windows Media Player, urges a user to download and execute an arbitrary file, as in the following example:

 

 

 

At the time of writing the file downloaded is identified as "Win32/Agent.E" and may also be known as "Adware.PlayMp3z".

 

We strongly suggest that users avoid downloading and executing any files when prompted by Windows Media Player upon opening streaming format files.

 

Some reports suggested that the trojan file is distributed as a malicious MP3 file type.

 

This shouldn't be viewed as a characteristic of the trojan, the extension can be changed and the trojan will still try to perform its action as long as an extension of the trojan file is registered with the media player (for instance .avi, .asf, .mpg). In case of the mp3 extension the format of the trojan file does not follow the mp3 file format convention. This might prompt a media player to issue a warning:

 

 

 

 

If answered <Yes> the trojan file will be processed by the media player. Performing this action the media player will try to open internet explorer and prompt a user to download a file which masquerades as an mp3 player.

 

Analysis by Oleg Petrovsky