ASX/Wimad is a family of malicious URL script commands found in Advance Systems Format (ASF), a file format used by Windows Media Player and other media players, that downloads arbitrary files.
Attack overview
In July 2008, we saw that Trojan:Win32/Gecedoc.A was capable of altering media files with the following extensions:
The attack on media files specifically targets Advanced Systems Format's (ASF) legitimate file feature by taking advantage of the Script Command through ASF _ Script _ Command_Object defined in the ASF Header. This threat alters the media file to enable Windows Media Player to handle a malicious URL script command embedded in a stream. Thus, when the altered ASF file is played, the malicious URL is interpreted and the media player responds to the script command.
ASX/Wimad is a detection for malicious URL script command found in altered media files.
Files detected as ASX/Wimad are also found in peer-to-peer (P2P) file sharing networks and £IRC$ channels.
Installation
Some variants of Wimad may arrive as an infected file; for example, infected MP3 and ASF files may be downloaded or shared through P2P file sharing networks.
Files may be infected by Trojan:Win32/Gecedoc.A; files infected by this threat are detected as Wimad. Gecedoc then searches your hard drive for clean media files with the following extensions:
If found, the malware alters the file to run a malicious URL script command.
Payload
Downloads files
ASX/Wimad can download other files, and employ social engineering techniques to assist the malware's execution (see the description for TrojanClicker:ASX/Wimad.CX for details of how social engineering may be used). We've seen Wimad connect to these websites for that purpose:
- 10yearsmusic.com
- 193.138.172.14
- 216.93.188.81
- 68.178.225.162
- 85.17.138.60
- 85.17.93.189
- ad.winadclient.com
- adult.pornparks.com
- americansexonline.com
- calyeung.com
- completely-free-movies.info
- coolpixhost.biz
- coralplayer.com
- cxgr.com
- dabao1.cn
- darixo.com
- download.pjplayer.com
- drm.ysbweb.com
- e-mirrorsite.com
- fastmp3player.com
- fetch.pjplayer.com
- find.eeredi.info
- find.mreed.info
- find.x3codec.info
- flashupd.com
- flashupd.com
- freaktorrents.info
- free.f2player.com
- freeaudiocodecs.com
- friskypotato.com
- funsiteshere.com
- get.pjplayer.com
- getsuperstuff.com
- go.eeredi.info
- go.emmigo.in
- go.galaplayer.com
- go.mreed.info
- goodtimesplayer.com
- hasvideo.net
- hotstuffbox.com
- hotstuffbox.com
- install-finder.com
- installation1.radmp3player.com
- isvbr.net
- license.mediapassonline.com
- lost.to/in.cgi?8
- media.downloadmediacentral.com
- media.licenseacquisition.org
- media.tfeed.info
- mediaprovider.info
- mediastop.zigg.me
- mediazone.uni.me
- microsoftmedicenter.com
- minisites.mypengo.com
- missing-codecs.com
- movie.blogdns.org
- mp.profittrol.com
- mp3.eeredi.info
- mp3.mreed.info
- mp3.x3codec.info
- mp3codec.info
- mp3codecdownload.com
- mpegcodecupdate.com
- msdomains.org
- myfirstsexteacher.com
- network.adsmarket.com
- nms.whenu.com
- now.divocodec.com
- peertracking.com
- pinballpublishernetwork.com
- play.pjplayer.com
- player.tfeed.info
- playmoviesx.com
- playsong.mediasongplayer.com
- playstream.searchasong.net
- plugin-install.info
- plugin-installer.com
- plugin-installer.info
- pluginprovider.com
- primeroute.net
- profittable.com
- purefunland.com
- radarixo.com
- real.pjplayer.com
- realcodec.com
- realcodec.com
- realsexsites.com
- redirsystem32.com
- remarkablesongslive.com
- sameshitasiteverwas.com
- sameshitasiteverwas.com
- selectusers.com
- sexnyu.com
- sexygirlsluts.com
- sharebuddy.ourtoolbar.com
- somegreatsongs.com
- spweb.whenu.com
- surf.to/mp3galaxy
- take.eeredi.info
- take.mreed.info
- take.x3codec.info
- tpbtrack.com
- tvcodec.net
- upgradecodec.cinedump.com
- uwww.exitforcash.com
- vidareal2010.pisem.su
- vidscentral.net
- winbutler.com
- winmediapackage.com
- wonderfultracks.com
- www.22teens.com
- www.fastmp3player.com
- www.mp3codec.info
- www.peertracking.com
- www.protectedmedia.com
- www.remarkablesongslive.com
- x3redir.mooo.com
In the wild, we have observed the following files run in a PC when it is successfully infected using any of the social engineering techniques:
- access.exe
- asf_codec.exe
- Codec.exe
- codec_update2.7.exe
- mp3_codec_update.exe
- mp3codec.exe
- PLAY.exe
- Play_mp3.exe
- SecureInstall_LOFS020701Inst.exe
- security-update-KB964085.exe
- setupe.exe
- Windows_Media_Player_Flash_Codec_Plugin.exe
- windows_media_update.exe
Wimad also uses file names with popular cultural references:
- 07. Dance Again - Jennifer Lopez Pitbull.mp3
- 17 Back In Time - Pitbull.mp3
- Abrazame - Camila.mp3
- Antigo Funk - Stevie B - Spring Love.mp3
- Good Feeling - Flo Rida.mp3
- Got 2 Luv U - Sean Paul Alexis Jordan.mp3
- Somebody That I Used To Know - Gotye Kimbra.mp3
- Tito El Bambino - Te Comence A Querer(1).mp3
- We Found Love - Rihanna Calvin Harris (2011 DVD)(3).mp3
Downloads malware and unwanted programs
We have seen variants of ASX/Wimad downloading the following malware and unwanted software:
Redirects web browser
Variants of ASX/Wimad can redirect your web browser to:
- Phishing websites
- Adult content websites
- Advertisements
- Download websites, such as the following:
Additional technical information
The Advanced Systems Format (ASF) is the file format used by Windows Media. Audio and/or video content compressed with a wide variety of codecs can be stored in an ASF file and played back with the Windows Media Player (provided the appropriate codecs are installed), streamed with Windows Media Services or optionally packaged with Windows Media Rights Manager. For more information, refer to the Advanced Systems Format (ASF) specification.
Files detected as ASX/Wimad contain a script command that instructs the default video player to open a URL in the browser. Examples of players supporting this feature include, but are not limited to:
- FFmpeg
- Flip4Mac
- MPlayer
- RealPlayer
- Windows Media Player
- Zune
It has been observed to use the following methods to open the URL (in order of observed prevalence in the wild:
- Use a script command (such as "URLANDEXIT") in the file header
- Use a Digital Rights Management (DRM) header to specify a malicious URL using the DRM license acquisition URL (DRMHeader.LAINFO)
- Use a script command supported by Windows Media Player
Further reading
Analysis by Methusela Cebrian Ferrer and Patrik Vicol