McAfee > Theat Center > Virus Detail Page

Overview

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Aliases

• Trj/WmvDownloader.B (Panda)

• Trojan-Downloader.WMA.Wimad.b (AVP)

• Trojan.Wimad (Symantec)

Characteristics

This detection is for a multimedia file that takes advantage of an exploit in the Digital Rights Management (DRM) technology in the Windows Media Player. This variant is similar to its predecessor .

When the user opens the multimedia file, a connection is made to a remote server in order to download other content. This variant of the trojan attempts to download content from the following domain initially (subsequently other remote sites are contacted as user is presented with popups/dialogs etc):

• http://www.protectedmedia.com

Symptoms

If the user views the media file and the subsequent cascade of popups and security warnings are accepted, many potentially unwanted programs will be installed to the machine. A lot of this content is pornographic in nature, which may cause offense to some users.

The following steps should be taken to help prevent such trojans resulting in unwanted content being installed on victim machines:

• deploy local and network firewalls
• deploy content control (can minimise pornographic content coming through gateway)
• ensure local browser settings are secure for untrusted sites

Method of Infection

When the user views the multimedia file, the media player informs them that it is attempting to retrieve a license file:

Subsequently, the following dialog is presented (image has been pixelated so as not to cause offense):

followed by "Security Warning" dialogs, for example:

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Variants

Variants

N/A

All Information

Overview -

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Aliases

• Trj/WmvDownloader.B (Panda)

• Trojan-Downloader.WMA.Wimad.b (AVP)

• Trojan.Wimad (Symantec)

Characteristics

Characteristics -

This detection is for a multimedia file that takes advantage of an exploit in the Digital Rights Management (DRM) technology in the Windows Media Player. This variant is similar to its predecessor .

When the user opens the multimedia file, a connection is made to a remote server in order to download other content. This variant of the trojan attempts to download content from the following domain initially (subsequently other remote sites are contacted as user is presented with popups/dialogs etc):

• http://www.protectedmedia.com

Symptoms

Symptoms -

If the user views the media file and the subsequent cascade of popups and security warnings are accepted, many potentially unwanted programs will be installed to the machine. A lot of this content is pornographic in nature, which may cause offense to some users.

The following steps should be taken to help prevent such trojans resulting in unwanted content being installed on victim machines:

• deploy local and network firewalls
• deploy content control (can minimise pornographic content coming through gateway)
• ensure local browser settings are secure for untrusted sites

Method of Infection

Method of Infection -

When the user views the multimedia file, the media player informs them that it is attempting to retrieve a license file:

Subsequently, the following dialog is presented (image has been pixelated so as not to cause offense):

followed by "Security Warning" dialogs, for example:

Removal -

Removal -

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Variants

Variants -

N/A