Wednesday, 7 May 2008

Rogue MP3 Trojan streaks across P2P networks

Hopefully people have seen this.. but it's worth posting:


Hundreds of thousands of examples of a new Trojan that poses as a media file have flooded onto P2P networks.

Since Friday 2 May more than half a million instances of the Trojan have been detected on consumer PCs, according to net security firm McAfee. The anti-virus firm reports the spread of the Downloader-UA.h Trojan as the most significant malware outbreak in the last three years.

Source: TheRegister
Source: Mcafee

What's interesting about this, is that I came across this "new" idea from a post by ISS (dated 29th April), which you can see here

While the above post talked about .ASF files, all the bad-guys have done is rename the .asf files to .mp3... Windows Media Player just reads Metadata in the header and runs the script :(

SaneSecurity ClamAV Generic detection was added on 30th April 2008 for this new idea and so I was interested to find that these "new" mp3s McAfee are talking about, are found using the same generic signature :)

Eg: eview-T-3545425-turbanlporno.mp3: Email.Malware.Sanesecurity.08043001.WmaScript FOUND

Note: You must be using ClamAV v0.93 to be able to detect this

No comments: