Bd Ok Of Install Exe Doesnt Mean Much

ljl269x
edited July 2008 in Sample submission

Contextual scan on MediaTubeCodec_ver1.668.3.exe was clean but upon executing it got Trojan.FakeAlert.TF installed in multiple places which disabled all hotkeys, BD, & Explorer(how did they do that?). As of Thurs,<link removed> was still trying to get u to d/l MediaTubeCodec_ver1.668.3.exe . This trojan is well done from both a technical & human engineering point of view & I only recovered because I image OS 1/wk, save registry 1/3days & have BartPE.


So for those who 'clean installed' by doing AV scan then killing alot of processes including AV then running install exe, this sequence is no longer safe. With ATI drivers+.. I guess I'll have to image my drives b4 installing.


Question: Whois leads ultimately to site whose TS is in Russian so who can I report this to so we can waterboard these guys! I've got alot of scan logs & screenshots from the attack.


Your help is MUCH appreciated. Thanks- bye- Larry

/applications/core/interface/file/attachment.php?id=2384" data-fileid="2384" rel="">link.txt

Comments

  • MediaTubeCodec seems to be a polymorphic infection, and that's why not all version of it can be detected by BD (at least until somekind of generic detection can be added).


    So, if you still have the file, please put it in a password-protected archive and attach it to your next post.


    Thank you for the link.


    Cris.


    P.S.: In the same category are some files named Windows_Media_Player_Flash_Codec_Plugin.exe (and variants). When you are asked by Media Player to download additional codecs, please don't do that! They are most likely malware.


    MPEG (MP3) files are all the same, and are natively supported by 99% of multimedia players on the web, so you don't need any additional codecs to play them. Any request for such codecs is at least suspicious.

  • byoram
    edited July 2008
    MediaTubeCodec seems to be a polymorphic infection, and that's why not all version of it can be detected by BD (at least until somekind of generic detection can be added).


    So, if you still have the file, please put it in a password-protected archive and attach it to your next post.


    Thank you for the link.


    Cris.


    P.S.: In the same category are some files named Windows_Media_Player_Flash_Codec_Plugin.exe (and variants). When you are asked by Media Player to download additional codecs, please don't do that! They are most likely malware.


    MPEG (MP3) files are all the same, and are natively supported by 99% of multimedia players on the web, so you don't need any additional codecs to play them. Any request for such codecs is at least suspicious.


    Hi there,


    In the heat of the moment and while installing Vista I accidentally clicked on this file (Windows_Media_Player_Flash_Codec_Plugin.exe[). all my MP3 files are now 'scrambled' and can not be listened to. I found a fix to the songs online (a Spanish website) and will probably need to spend hours just fixing the songs, I also remove the WMP settings from the registry and installed a clean one from a user that I have setup just in order to get 'clean' settings for WMP. my question is, how can I verify that no leftovers of this malware are on my computer? BTW - the only AV that tracked this thing (on my wife's computer) was Avira. on mine i have AVG 8.0 and Windows Defender - nada!


    Appreciate your help!

  • alexcrist
    alexcrist
    edited July 2008

    Hello byoram,


    What exactly is your question? :huh:


    As far as I can see, you already cleaned your system, so what exactly do you need help with?


    Also, you are not a BitDefender user. Don't get me wrong...but why exactly don't you ask for help at AVG/Avira? If you have samples that you want to submit for analysis, you are welcome to do so, but even if BD detects all malware it won't do you any good because you don't use it :D


    Cris.

  • byoram
    edited July 2008
    Hello byoram,


    What exactly is your question? :huh:


    As far as I can see, you already cleaned your system, so what exactly do you need help with?


    Also, you are not a BitDefender user. Don't get me wrong...but why exactly don't you ask for help at AVG/Avira? If you have samples that you want to submit for analysis, you are welcome to do so, but even if BD detects all malware it won't do you any good because you don't use it :D


    Cris.


    Hi Cris,


    I apologize and you are right, I was rude, I did not use BD before this incident but trust me, there is no AVG on my system after this huge failure on their end. I have installed BD this morning as your site is the only one that has any mentioning on this malware in an official way. I guess it is too late but you can count that I know what to do the next time I install a new computer.


    My question was and still is: does this malware leaves any traces that I can manually clean or would you recommend a clean install just to be on the safe side?


    Apologize again.

  • As far as I've seen, this infection modifies all MP3s from your computer (the MP3s seem to be fully recovered by the tool that you found on the Spanish site), drops a couple of EXE files in C:\System32\ (files which should already be detected by BitDefender), and then it deletes the original infection source (Windows_Media_Player_Flash_Codec_Plugin.exe, or variants). As far as I know, nothing else is modified by this malware.


    I'm not a virus analyst, so this description might not be 100% accurate (this is what I've observed in a Virtual Machine, after running a copy of the fake "plugin").


    Basically, the fake "plugin" itself is most of the times different (which is why not all variants are detected by all AVs), but the dropped files are always the same, and BD knows them.


    So the cleaning method should be:


    - a deep system scan with BitDefender (locally, if you have BitDefender installed, or use the Online Scanner) and remove all found infections


    - use the tool to clean the affected MP3s.


    About this infection:


    It seems to affect only MP3 files (other audio files are not affected, nor video files).


    The actual audio stream in the MP3s remains intact (the song itself is not changed in any way), but the header of the file is changed, so multimedia applications won't detect the files as MP3s, but as ASF files (which is a container type, made by Microsoft, which can contain WMA for audio, and WMV for video, both Microsoft-made types).


    The problem with this type (ASF) is that it can contain scripts (somehow like webpages) to "enhance" user's experience. But these scripts can be exploited by malware, which can add links to infected files.


    The scripts in ASFs are not executed by all players. The most-known players which support such scripts are Windows Media Player (go figure :P ) and RealOne Player. Other players, such as Winamp, don't execute such scripts, therefore they are invulnerable to such malware exploits.


    So, as I said, MP3s are changes so that media players will "see" them as ASFs. Also, in the header of those MP3s is inserted a ******, a link to the fake codec, ****** which will be executed by vulnerable players. And that is how the files get corrupted, and everytime you try to play a song you'll be asked to download the codec again, and again, reinfecting your computer each time.


    The tool found on the "Spanish site" is FS-MP3Fix.zip


    What does this tool do? Basically, it re-encodes all files, so that they will become, once again, native MP3 files (also removing the malicious ****** from them). I've tested this tool on a few infected files, and they were fully recovered.


    How to use it? Copy all affected MP3s in the same folder with the tool, and use the tool. The tool will create a clean copy of each file like this:


    - infected file: song.mp3


    - created clean copy: song_fs.mp3


    The original infected files are left intact, so be careful what you recover from there (take only the files which end with _fs).


    Attention! This tool is detected as malware by many AV products. BitDefender also detected this as a Trojan, but the Labs have confirmed that it's a False Positive, the file is clean, and detection will be removed in later updates (I only found the tool today, I reported it, so detection should be removed by tomorrow at most)


    Good luck! :)


    Cris.

  • byoram
    edited July 2008

    Cris, your reply is very thorough and professional, I appreciate the time and efforts you took in helping me out with this one. I will add more as I experiment with the computer later on today.

  • alexcrist
    alexcrist
    edited July 2008

    BitDefender already removed the detection (so BitDefender products won't detect FS_MP3Fix.exe as threat anymore).


    Also, to prevent any misleading, I want to say that the above tool for MP3s was created by someone from InfoSpyware.com, so all credit for this tool goes to them. Also, support for this tool should be asked directly to them, as we (BitDefender forum) do not take any responsibility for any damage caused by this tool.


    The same issue (infected MP3s) is discussed on InfoSpyware's forum, ForoSpyware.com (and this is also where you can find the original link and instructions for this tool).


    Cris.

  • MediaTubeCodec seems to be a polymorphic infection, and that's why not all version of it can be detected by BD (at least until somekind of generic detection can be added).
    DLoadLoops.zip has screenshots of loop u cant get out of once u try to play any video. Note none of tabs or links work on any page!


    More info on it at http://www.prevx.com/filenames/X1680581988...5B1%5D.EXE.html


    http://pandalabs.pandasecurity.com/archive...ntube-Page.aspx


    http://www.ca.com/securityadvisor/pest/pes...px?id=453134350


    It disables BD, Explorer, & all hoykeys so for an average user a XP reinstall would be required. BD is still finding Trojans during my 2/day DEEP SCAN!


    The achilles heel of all malware IMHO is how to get initially installed & how to run at each boot so my defense concentrated on 5 or so places in Registry that can start apps & services. I had to restore a previous Registry running ERUNT from BartPE so I could boot XP & reinstall BD & do SFC from Command Prompt.


    I have a 2nd XP for evals & experiments where I'm beta Threatfire so I'm gonna execute MediaTubeCodec there & see if Threatfire detects it.


    So, if you still have the file, please put it in a password-protected archive and attach it to your next post.


    I do & never password-protected zip file but I can probably run StuffIt & clk away BUT how do I tell u the password?


    Thank you for the link. Cris.


    Thank you for your response.


    Your help is MUCH appreciated.

    /applications/core/interface/file/attachment.php?id=2414" data-fileid="2414" rel="">DLoadLoops.zip

  • The standard recommended password for samples is infected. Any other password is good as well, as long as you let us know the password, through PM.


    Cris.

  • The standard recommended password for samples is infected. Any other password is good as well, as long as you let us know the password, through PM.


    My zipper is StuffIt which has no password capabitity.


    Any suggestions are welcome.


    Thanks- bye- Larry

  • My personal suggestion: 7Zip, freeware.


    Other suggestions and instructions: http://forum.bitdefender.com/index.php?showtopic=84


    Cris.

  • My personal suggestion: 7Zip, freeware.


    Other suggestions and instructions: http://forum.bitdefender.com/index.php?showtopic=84


    Stuffit is old & $$ so its about time to replace it. IZArc has alot of files I run into from Mac users sending graphics & unraveling ISO would be handy. So I'll install IZArc & get back to u but it might not be for a week or so. U could d/l it from url I posted - I deleted the original & went back to url & got it.


    Ive got some higher priority problems with Rescue CD & Media player & I just got 46" LCD HD TV with HD TIVO.


    Your help is MUCH appreciated. Thanks- bye- Larry

  • So, if you still have the file, please put it in a password-protected archive and attach it to your next post.


    Thank you for the link.


    Cris.


    P.S.: In the same category are some files named Windows_Media_Player_Flash_Codec_Plugin.exe (and variants). When you are asked by Media Player to download additional codecs, please don't do that! They are most likely malware.


    MPEG (MP3) files are all the same, and are natively supported by 99% of multimedia players on the web, so you don't need any additional codecs to play them. Any request for such codecs is at least suspicious.


    Attached is Trojan with password = infected. I evaluated 4 zippers but only 7zip would handle filenames with 'special chars' which r chars I use for illegal ones in filenames. Example ¿ for ?, › for >, and others used in proofs & notations. All but 7zip either stopped compressing or omitted the file- serious problems.


    AS an aside, I'm looking to d/l all codecs for WMP. U know a trusted site?


    Your help is MUCH appreciated. Thanks- bye- Larry

    /applications/core/interface/file/attachment.php?id=2531" data-fileid="2531" rel="">MediaTubeCodec_ver1.668.3.zip

  • I have a 2nd XP for evals & experiments where I'm beta Threatfire so I'm gonna execute MediaTubeCodec there & see if Threatfire detects it.


    Threatfire did stop all damage to my experimental XP & quarantined all components of this trojan including the install pgm & zip file it was extracted from which was password protected. (see attachment) Pretty impressive.


    I think BD + Threatfire combo provides lots of protection with minimal intrusion. I also have SpywareBlaster blocking ActiveX & ZonedOut defining Restricted+Trusted Zones in IE neither take any resources from CPU.



    Any & all comments/suggestions are welcome.


    Thanks- bye- Larry

    post-13792-1216905844_thumb.jpg

  • As far as I've seen, this infection modifies all MP3s from your computer (the MP3s seem to be fully recovered by the tool that you found on the Spanish site), drops a couple of EXE files in C:\System32\ (files which should already be detected by BitDefender), and then it deletes the original infection source (Windows_Media_Player_Flash_Codec_Plugin.exe, or variants). As far as I know, nothing else is modified by this malware.


    I'm not a virus analyst, so this description might not be 100% accurate (this is what I've observed in a Virtual Machine, after running a copy of the fake "plugin").


    Basically, the fake "plugin" itself is most of the times different (which is why not all variants are detected by all AVs), but the dropped files are always the same, and BD knows them.


    So the cleaning method should be:


    - a deep system scan with BitDefender (locally, if you have BitDefender installed, or use the Online Scanner) and remove all found infections


    - use the tool to clean the affected MP3s.


    About this infection:


    It seems to affect only MP3 files (other audio files are not affected, nor video files).


    The actual audio stream in the MP3s remains intact (the song itself is not changed in any way), but the header of the file is changed, so multimedia applications won't detect the files as MP3s, but as ASF files (which is a container type, made by Microsoft, which can contain WMA for audio, and WMV for video, both Microsoft-made types).


    The problem with this type (ASF) is that it can contain scripts (somehow like webpages) to "enhance" user's experience. But these scripts can be exploited by malware, which can add links to infected files.


    The scripts in ASFs are not executed by all players. The most-known players which support such scripts are Windows Media Player (go figure :P ) and RealOne Player. Other players, such as Winamp, don't execute such scripts, therefore they are invulnerable to such malware exploits.


    So, as I said, MP3s are changes so that media players will "see" them as ASFs. Also, in the header of those MP3s is inserted a ******, a link to the fake codec, ****** which will be executed by vulnerable players. And that is how the files get corrupted, and everytime you try to play a song you'll be asked to download the codec again, and again, reinfecting your computer each time.


    The tool found on the "Spanish site" is FS-MP3Fix.zip


    What does this tool do? Basically, it re-encodes all files, so that they will become, once again, native MP3 files (also removing the malicious ****** from them). I've tested this tool on a few infected files, and they were fully recovered.


    How to use it? Copy all affected MP3s in the same folder with the tool, and use the tool. The tool will create a clean copy of each file like this:


    - infected file: song.mp3


    - created clean copy: song_fs.mp3


    The original infected files are left intact, so be careful what you recover from there (take only the files which end with _fs).


    Attention! This tool is detected as malware by many AV products. BitDefender also detected this as a Trojan, but the Labs have confirmed that it's a False Positive, the file is clean, and detection will be removed in later updates (I only found the tool today, I reported it, so detection should be removed by tomorrow at most)


    Good luck! :)


    Cris.


    I LOVE YOU CRIS I LOVE YOU SAVED MY LIFE , IT IS WORKING COMPLETELY , WORKING WORKING WORKING