Windows Media Player DRM Exploit

[David H. Lipman]

I don't know how many of you know about this one.

I have been seeing a rise in a new way to get you infected with malware. It actually isn't
too new. It is almost two years old. However its use is rising and may become more
prevelant in the coming months.

Here's the deal.

I am seeing new Social Engineering posts in the alt.binaries.* News Groups.
Instead of directly attaching malware, thes posts are exploiting the Windows Media Player
DRM.

Being posted are WMV files with such names as...

Anna Kournikova Calendar Shoot 2005.wmv
Charlize Theron And Penelope Cruz Kiss.wmv
Christina Aguilera Showing Off.wmv
Courtney Cox Lingerie.wmv
Debra Messing Covered Up.wmv
Drew Barrymore Braless.wmv
Keira Knightly Lap Dance.wmv
Melyssa Ford in Lingerie.wmv

When you play the WMV files you have to agree to a EULA and when you click on "Play Now" it
will download SETUP.EXE from static.zangocash.com the EXE is a malware installer for
Zango/180Solutions.

The SETUP.EXE file is fairly well recognized such as;
Ewido: Adware.180Solutions and
Kaspersky: not-a-virus:AdWare.Win32.180Solutions.as

The WMVs are not so well recognized but here is a sampling...

AntiVir -- EXP/WMV.A.1 , EXP/WMV.A.2
AVG -- Downloader.Wimad.B
BitDefender -- Trojan.Wimad.A
Ewido -- Downloader.Wimad.h
Fortinet -- W32/WIMAD.C!tr
Ikarus -- Trojan-Downloader.WMA.Wimad.h
Kaspersky -- Trojan-Downloader.WMA.Wimad.h
UNA -- TrojanDownloader.WMA.Wimad.D7FF


Some of these WMVs are too large to submit as their sizes surpass the maximum submission
size set by the anti malware vendors.

 

[Fitz]

Thanks for the info Dave.
***

 

[BulletProof]

Drew Barrymore Braless.wmv

that small breasted hussy? aaaawwww

When you play the WMV files you have to agree to a EULA and when you click on "Play Now" it
will download SETUP.EXE from static.zangocash.com the EXE is a malware installer for
Zango/180Solutions.

this is the very reason I was looking for an exe monitor, not just a
spy guard

Beauregard a poster in this group turned me onto kerio by sunbelt it's
a firewall, but also gives you elite controll over exes

if you had kerio installed.. a popup would say..
WMP is trying to run Setup.exe will you allow this exe to run, yes/no

kerio is not this stringent out of the box, I had to change one setting
under the applications tab.

BP

 

[BulletProof]

wanted to add to my previous post

this is a line of defense that is higher than a spyguard

in your case, so long as the setup.exe is supressed then the spyguards
are not even disturbed

 

[Beauregard T. Shagnasty]

Beauregard a poster in this group turned me onto kerio by sunbelt
it's a firewall, but also gives you elite controll over exes

if you had kerio installed.. a popup would say.. WMP is trying to run
Setup.exe will you allow this exe to run, yes/no

[Permit/Deny]

...and will continue to do so unless you check the box for:
"Create a rule for this event and don't ask me again"

I use this for all but the most trusted .exe's. Since some malware (or
even 'trusted' programs) can fire up Internet Explorer and launch a web
page with parameters such as your default email address, even IE is on
my "ask every time" list.

kerio is not this stringent out of the box, I had to change one
setting under the applications tab.

Would that be "[X] Enable Network security module" ? (Been so long
since I set it up, I've forgotten what the defaults were...)

 

[Art]

I don't know how many of you know about this one.

I have been seeing a rise in a new way to get you infected with malware. It actually isn't
too new. It is almost two years old. However its use is rising and may become more
prevelant in the coming months.

Here's the deal.

I am seeing new Social Engineering posts in the alt.binaries.* News Groups.
Instead of directly attaching malware, thes posts are exploiting the Windows Media Player
DRM.

Being posted are WMV files with such names as...

Anna Kournikova Calendar Shoot 2005.wmv
Charlize Theron And Penelope Cruz Kiss.wmv
Christina Aguilera Showing Off.wmv
Courtney Cox Lingerie.wmv
Debra Messing Covered Up.wmv
Drew Barrymore Braless.wmv
Keira Knightly Lap Dance.wmv
Melyssa Ford in Lingerie.wmv

When you play the WMV files you have to agree to a EULA and when you click on "Play Now" it
will download SETUP.EXE from static.zangocash.com the EXE is a malware installer for
Zango/180Solutions.

The SETUP.EXE file is fairly well recognized such as;
Ewido: Adware.180Solutions and
Kaspersky: not-a-virus:AdWare.Win32.180Solutions.as

The WMVs are not so well recognized but here is a sampling...

AntiVir -- EXP/WMV.A.1 , EXP/WMV.A.2
AVG -- Downloader.Wimad.B
BitDefender -- Trojan.Wimad.A
Ewido -- Downloader.Wimad.h
Fortinet -- W32/WIMAD.C!tr
Ikarus -- Trojan-Downloader.WMA.Wimad.h
Kaspersky -- Trojan-Downloader.WMA.Wimad.h
UNA -- TrojanDownloader.WMA.Wimad.D7FF


Some of these WMVs are too large to submit as their sizes surpass the maximum submission
size set by the anti malware vendors.

I notice that the freeware app IrfanView should play/handle WMV files,
at least with the plugins available for it. Those freeware fanatics
who shun MS and use Media Player Classic, Irfan, and others, would
be free of this crap, no? Especially since they/we avoid using IE like
the plague as well.

Art
http://home.epix.net/~artnpeg

 

[James E. Morrow]

Thanks for the info Dave.
***

<Snip>

Thank you Mr. Lipman for this warning. The threat seem very serious. And
thanks to Bulletproof for the warning regarding Kerio. I'm in Linux now
but when I get back to Windows XP the first thing I'll do is tighten the
Kerio settings.

Does anyone have any specifics regarding Art's point about Irfanview etc?
Is just not using WMP a real protection or could this just be a false
sense of security? I agree with Art on this, but I would like further
reassurance on this.

 

[David H. Lipman]

From: "James E. Morrow" <[email protected]>


|
| Thank you Mr. Lipman for this warning. The threat seem very serious. And
| thanks to Bulletproof for the warning regarding Kerio. I'm in Linux now
| but when I get back to Windows XP the first thing I'll do is tighten the
| Kerio settings.
|
| Does anyone have any specifics regarding Art's point about Irfanview etc?
| Is just not using WMP a real protection or could this just be a false
| sense of security? I agree with Art on this, but I would like further
| reassurance on this.
|

Please... Don't be so formal. Call me Dave or David.

BTW: While I deliberately Cross-Posted this to microsoft.public.security.virus
The Microsoft News Server filters seems to blocked it from posting it on the Microsoft News
Server. Most likely it was the name of the WMV files that triggered it.

I'll try reposting just on the MS News Server sans the names of the WMV files.

 

[James E. Morrow]

From: "James E. Morrow" <[email protected]>


|
| Thank you Mr. Lipman for this warning. The threat seem very serious. And
| thanks to Bulletproof for the warning regarding Kerio. I'm in Linux now
| but when I get back to Windows XP the first thing I'll do is tighten the
| Kerio settings.
|
| Does anyone have any specifics regarding Art's point about Irfanview etc?
| Is just not using WMP a real protection or could this just be a false
| sense of security? I agree with Art on this, but I would like further
| reassurance on this.
|

Please... Don't be so formal. Call me Dave or David.

BTW: While I deliberately Cross-Posted this to microsoft.public.security.virus
The Microsoft News Server filters seems to blocked it from posting it on the Microsoft News
Server. Most likely it was the name of the WMV files that triggered it.

I'll try reposting just on the MS News Server sans the names of the WMV files.

Alright Dave, thanks for your efforts.

 

[BulletProof]

kerio is not this stringent out of the box, I had to change one
setting under the applications tab.

Would that be "[X] Enable Network security module" ? (Been so long
since I set it up, I've forgotten what the defaults were...)

It's under Intrusions, application behavior
by default it lets one app start another app...
(so long as you permit the mother app).. one level deeper, you can [X]
Ask Me
(that's the option)

I wouldn't trade this little jewel for nothing

but I see it's not free, is alright, it can't cost more than 30 bux
it costs me more than that to spend time removing a #$#%$$% clever
spyware
not any more!

PERMISSION DENIED
ACCESS DENIED

hhhhhaaaaaaaaaaaaaaaaaaaaaaaaaaa hahahahaha

hhhhhhhhhaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa hahahahah

IM THE MAN!
IM IN CHARGE
I CALL THE SHOTS

lol