14 DAY TRIAL // Malware analysts from antivirus vendor Sophos warn of an intriguing threat, which destroys all MP3 files on compromised computers and claims to be fighting piracy. The malicious file is of Indonesian origin and it is being spread on file sharing networks.
"The malware attempts to use the Indonesian band Samsons and their song Naluri Lelaki to entice users to click on the file. The file itself comes with a Winamp icon on it, so it looks like a regular mp3 file to the user," advises Prashant Kumar, security researcher at antivirus vendor Sophos.
This malware, which Sophos classifies as a Trojan, has a particularly dangerous playload. First, it installs under the name of winamp.dll.exe in the Windows folder and creates a startup registry entry for itself.
In order to prevent manual removal attempts, Troj/Samson-A disables the Windows registry editor (regedit). Additionally, because by default, Windows Explorer protects system files by hiding them, the Trojan disables the ability to change the Folder Options, which could be used to change this behavior.
The malware manifests itself by displaying an alert each time the computer is rebooted. The message reads (in Indonesian), "Stop pembajakan Musisi Dalam Negeri, Jangan Gunakan MP3 lagi (sok sok an) huahahahahaha!!!" Acording to Prashant Kumar, this loosely translates, "Stop piracy Musician Affairs, Do not Use MP3 again (quasi quasi-an) huahahahahaha!"
Not only does the Trojan warn you not to use MP3 files again, but it actually tries to force you, by copying itself over all such files on the computer and adding the .exe extension to their original names. Furthermore, it prevents the popular Winamp media player from running if it finds it installed.
"It looks to have been written by some Indonesian script kiddies who seem to think that by infecting people’s computers they can stop piracy," indicates the Sophos analyst. "Needless to say it’s a lame attempt," he adds.