Overall risk rating:

Reported detections:

System  impact:

Information exposure:

Description:

To get a one-glance comprehensive view of the behavior of this spyware, refer to the Behavior Diagram shown below.



Spyware Overview

This spyware may be dropped by TROJ_MEDPINCH.A. It may also be downloaded unknowingly by a user when visiting malicious Web sites.

Upon execution, it searches for all .MP3, .WMA, and .WMV files on the system. It then injects a malicious code in the searched file. The said .MP3 files are converted first to WMA format before the said routine is done.

When played using Windows Media Player, the infected files cause the player to generate a fake popup window, prompting the user that a codec is missing, and needs to be installed. The said file is a fake codec and is a copy of this spyware.

It also opens a hidden Internet Explorer (IE) window. It then attempts to access a Web site to download a file. As of this writing, however, the said site is inaccessible.

This spyware steals user names, passwords, and other account and installation information from certain applications that are installed on an affected system, most of which are instant messaging and email applications.

It then stores the gathered information into log files and encrypts these files before sending to a specific remote site.

For additional information about this threat, see:
Solution
Technical Details

Description created: Jul 15, 2008

Revision history: Jul 22, 2008 - Modified Spyware Report