14 DAY TRIAL // According to Secure Computing, a company that specializes in providing Internet security appliances as security software solutions, there is a new Trojan out there that works by infecting all multimedia files (that would be music and movies) stored on the user's machine. This threat has been identified by the previously mentioned company as "Trojan.ASF.Hijacker.gen". The Trojan spreads mainly through P2P with the goal of stealing your security credentials.
Christoph Alme from Secure Computing comments: "We've not seen such a sophisticated Trojan infecting multimedia files before. We've been seeing infected multimedia files for about a month now and [had been] wondering where they came from." Alme has been paying close attention to the Trojan in his function as lead researcher in Secure Computing's AntiMalware team.
At first glance it would seem that downloading .exe files from Warez sites is the main source of infection, but in fact things are slightly more complicated than that. You do not have to visit such a site to get infected; all you have to do is download music files or movies through P2P (peer-to-peer) from someone that is infected. Once the Trojan is on your machine it embeds its malicious code into all ASF (Advanced Systems Format) based multimedia files. The ASF format is used by files such as MP3, WMA and WMV.
Christoph Alme again: "They lead you to a page under their control when you play back the file, and it has a pop-up telling you that you need to download the 'codec' to play the video or audio file".
This is not exactly a new technique; numerous malware infested sites claim that "there is a problem with ActiveX" or "you need this codec" in order to watch a video clip or listen to music online. The interesting thing about this Trojan is that it infects media files already on your hard disk, files that you think are clean. Consequently you will actually believe that you need that codec.
Here is another interesting thing about the Trojan: it will convert to WMA all the MP2 and MP3 files stored on your PC. This means that when you want to listen to the MP3, it will be opened with Media Player and you will be asked to download a codec, after of course being redirected to a malicious site. In order to maintain an air of authenticity, after the download is complete you will not be prompted again.