Bd Ok Of Install Exe Doesnt Mean Much

MediaTubeCodec seems to be a polymorphic infection, and that's why not all version of it can be detected by BD (at least until somekind of generic detection can be added).

So, if you still have the file, please put it in a password-protected archive and attach it to your next post.

Thank you for the link.

Cris.

P.S.: In the same category are some files named Windows_Media_Player_Flash_Codec_Plugin.exe (and variants). When you are asked by Media Player to download additional codecs, please don't do that! They are most likely malware.

MPEG (MP3) files are all the same, and are natively supported by 99% of multimedia players on the web, so you don't need any additional codecs to play them. Any request for such codecs is at least suspicious.

Hello byoram,

What exactly is your question?

As far as I can see, you already cleaned your system, so what exactly do you need help with?

Also, you are not a BitDefender user. Don't get me wrong...but why exactly don't you ask for help at AVG/Avira? If you have samples that you want to submit for analysis, you are welcome to do so, but even if BD detects all malware it won't do you any good because you don't use it

Cris.

As far as I've seen, this infection modifies all MP3s from your computer (the MP3s seem to be fully recovered by the tool that you found on the Spanish site), drops a couple of EXE files in C:\System32\ (files which should already be detected by BitDefender), and then it deletes the original infection source (Windows_Media_Player_Flash_Codec_Plugin.exe, or variants). As far as I know, nothing else is modified by this malware.

I'm not a virus analyst, so this description might not be 100% accurate (this is what I've observed in a Virtual Machine, after running a copy of the fake "plugin").

Basically, the fake "plugin" itself is most of the times different (which is why not all variants are detected by all AVs), but the dropped files are always the same, and BD knows them.

So the cleaning method should be:

- a deep system scan with BitDefender (locally, if you have BitDefender installed, or use the Online Scanner) and remove all found infections

- use the tool to clean the affected MP3s.

About this infection:

It seems to affect only MP3 files (other audio files are not affected, nor video files).

The actual audio stream in the MP3s remains intact (the song itself is not changed in any way), but the header of the file is changed, so multimedia applications won't detect the files as MP3s, but as ASF files (which is a container type, made by Microsoft, which can contain WMA for audio, and WMV for video, both Microsoft-made types).

The problem with this type (ASF) is that it can contain scripts (somehow like webpages) to "enhance" user's experience. But these scripts can be exploited by malware, which can add links to infected files.

The scripts in ASFs are not executed by all players. The most-known players which support such scripts are Windows Media Player (go figure ) and RealOne Player. Other players, such as Winamp, don't execute such scripts, therefore they are invulnerable to such malware exploits.

So, as I said, MP3s are changes so that media players will "see" them as ASFs. Also, in the header of those MP3s is inserted a ******, a link to the fake codec, ****** which will be executed by vulnerable players. And that is how the files get corrupted, and everytime you try to play a song you'll be asked to download the codec again, and again, reinfecting your computer each time.

The tool found on the "Spanish site" is FS-MP3Fix.zip

What does this tool do? Basically, it re-encodes all files, so that they will become, once again, native MP3 files (also removing the malicious ****** from them). I've tested this tool on a few infected files, and they were fully recovered.

How to use it? Copy all affected MP3s in the same folder with the tool, and use the tool. The tool will create a clean copy of each file like this:

- infected file: song.mp3

- created clean copy: song_fs.mp3

The original infected files are left intact, so be careful what you recover from there (take only the files which end with _fs).

Attention! This tool is detected as malware by many AV products. BitDefender also detected this as a Trojan, but the Labs have confirmed that it's a False Positive, the file is clean, and detection will be removed in later updates (I only found the tool today, I reported it, so detection should be removed by tomorrow at most)

Good luck!

Cris.

BitDefender already removed the detection (so BitDefender products won't detect FS_MP3Fix.exe as threat anymore).

Also, to prevent any misleading, I want to say that the above tool for MP3s was created by someone from InfoSpyware.com, so all credit for this tool goes to them. Also, support for this tool should be asked directly to them, as we (BitDefender forum) do not take any responsibility for any damage caused by this tool.

The same issue (infected MP3s) is discussed on InfoSpyware's forum, ForoSpyware.com (and this is also where you can find the original link and instructions for this tool).

Cris.

The standard recommended password for samples is infected. Any other password is good as well, as long as you let us know the password, through PM.

Cris.

My personal suggestion: 7Zip, freeware.

Other suggestions and instructions: http://forum.bitdefender.com/index.php?showtopic=84

Cris.

As far as I've seen, this infection modifies all MP3s from your computer (the MP3s seem to be fully recovered by the tool that you found on the Spanish site), drops a couple of EXE files in C:\System32\ (files which should already be detected by BitDefender), and then it deletes the original infection source (Windows_Media_Player_Flash_Codec_Plugin.exe, or variants). As far as I know, nothing else is modified by this malware.

I'm not a virus analyst, so this description might not be 100% accurate (this is what I've observed in a Virtual Machine, after running a copy of the fake "plugin").

Basically, the fake "plugin" itself is most of the times different (which is why not all variants are detected by all AVs), but the dropped files are always the same, and BD knows them.

So the cleaning method should be:

- a deep system scan with BitDefender (locally, if you have BitDefender installed, or use the Online Scanner) and remove all found infections

- use the tool to clean the affected MP3s.

About this infection:

It seems to affect only MP3 files (other audio files are not affected, nor video files).

The actual audio stream in the MP3s remains intact (the song itself is not changed in any way), but the header of the file is changed, so multimedia applications won't detect the files as MP3s, but as ASF files (which is a container type, made by Microsoft, which can contain WMA for audio, and WMV for video, both Microsoft-made types).

The problem with this type (ASF) is that it can contain scripts (somehow like webpages) to "enhance" user's experience. But these scripts can be exploited by malware, which can add links to infected files.

The scripts in ASFs are not executed by all players. The most-known players which support such scripts are Windows Media Player (go figure ) and RealOne Player. Other players, such as Winamp, don't execute such scripts, therefore they are invulnerable to such malware exploits.

So, as I said, MP3s are changes so that media players will "see" them as ASFs. Also, in the header of those MP3s is inserted a ******, a link to the fake codec, ****** which will be executed by vulnerable players. And that is how the files get corrupted, and everytime you try to play a song you'll be asked to download the codec again, and again, reinfecting your computer each time.

The tool found on the "Spanish site" is FS-MP3Fix.zip

What does this tool do? Basically, it re-encodes all files, so that they will become, once again, native MP3 files (also removing the malicious ****** from them). I've tested this tool on a few infected files, and they were fully recovered.

How to use it? Copy all affected MP3s in the same folder with the tool, and use the tool. The tool will create a clean copy of each file like this:

- infected file: song.mp3

- created clean copy: song_fs.mp3

The original infected files are left intact, so be careful what you recover from there (take only the files which end with _fs).

Attention! This tool is detected as malware by many AV products. BitDefender also detected this as a Trojan, but the Labs have confirmed that it's a False Positive, the file is clean, and detection will be removed in later updates (I only found the tool today, I reported it, so detection should be removed by tomorrow at most)

Good luck!

Cris.

I LOVE YOU CRIS I LOVE YOU SAVED MY LIFE , IT IS WORKING COMPLETELY , WORKING WORKING WORKING