McAfee > Theat Center > Virus Detail Page

Overview

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Aliases

• Trj/Downloader.AEV (Panda)

• Trojan-Downloader.WMA.Wimad.a (AVP)

• Trojan.Wimad (Symantec)

Characteristics

This detection is for a multimedia file that takes advantage of an exploit in the Digital Rights Management (DRM) technology in the Windows Media Player.

When the user opens the multimedia file, a connection is made to a remote server in order to download other content. This variant of the trojan attempts to download content from the following domain initially (subsequently other remote sites are contacted as user is presented with cascade of popups etc):

• http://licenses.overpeer.com

Symptoms

If the user views the media file and the subsequent cascade of popups and security warnings are accepted, many potentially unwanted programs will be installed to the machine. A lot of this content is pornographic in nature, which may cause offense to some users.

The following steps should be taken to help prevent such trojans resulting in unwanted content being installed on victim machines:

• deploy local and network firewalls
• deploy content control (can minimise pornographic content coming through gateway)
• ensure local browser settings are secure for untrusted sites

Method of Infection

When the user views the multimedia file, the media player informs them that it is attempting to retrieve a license file:

The following dialog is then displayed:

Subsequently, a browser window is opened displaying content from the following domain:

• http://serve.alcena.com

The user will then likely be confronted with a cascade of other popups and "Security Warning" dialog windows, for example:

Other popup browser windows are displayed, containing pornographic content, and links to further remote sites.

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Aliases

• Trj/Downloader.AEV (Panda)

• Trojan-Downloader.WMA.Wimad.a (AVP)

• Trojan.Wimad (Symantec)

Characteristics

Characteristics -

This detection is for a multimedia file that takes advantage of an exploit in the Digital Rights Management (DRM) technology in the Windows Media Player.

When the user opens the multimedia file, a connection is made to a remote server in order to download other content. This variant of the trojan attempts to download content from the following domain initially (subsequently other remote sites are contacted as user is presented with cascade of popups etc):

• http://licenses.overpeer.com

Symptoms

Symptoms -

If the user views the media file and the subsequent cascade of popups and security warnings are accepted, many potentially unwanted programs will be installed to the machine. A lot of this content is pornographic in nature, which may cause offense to some users.

The following steps should be taken to help prevent such trojans resulting in unwanted content being installed on victim machines:

• deploy local and network firewalls
• deploy content control (can minimise pornographic content coming through gateway)
• ensure local browser settings are secure for untrusted sites

Method of Infection

Method of Infection -

When the user views the multimedia file, the media player informs them that it is attempting to retrieve a license file:

The following dialog is then displayed:

Subsequently, a browser window is opened displaying content from the following domain:

• http://serve.alcena.com

The user will then likely be confronted with a cascade of other popups and "Security Warning" dialog windows, for example:

Other popup browser windows are displayed, containing pornographic content, and links to further remote sites.

Removal -

Removal -

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A