"Funny" Edition of WMA:WIMAD[drp] Story +question

[maverikentertainment]

So my cousin who doesn't know any better was trying to get movies and ended up with a file infected with WMA:WIMAD[drp], or rather, from what I could tell, was created for the express purpose of spreading the virus.

He tried running it from his macbook and got the message about needing a windows media codec for his .avi file (no redirection was complete, we were both offline), but it wasn't the usual system message imitation. The video ran the Universal logo theme and the message was a bright white text cg plastered over it, and I assume that the huge filesize is faked or that it's a long running video of  the universal logo as a still image (once the animation and music complete).

Now I didn't know much about this virus until today, but the fact that a video that needs a codec...well...ran at all, and that the message was part of the video raised hundreds of red flags in my head.

In any case he jammed his flash drive into my pc anyway to see if I could run it, so I immediately ran avast on it instead doing my best to explain why it didn't make sense. Saw it was infected with this virus and promptly removed it, telling him he was duped.

In any case coming from a video background I found the execution somewhat amusing...

In any case I was wondering if anyone with a better understanding of the virus could tell me if it has any threat to my PC? From what I could gather it doesn't do much unless it successfully downloads further malware but didn't find any solid info on it's replication behaviors or other ways it might spread. I've yet to do a boot scan and wondered if it's a necessary step in dealing with this. The file was only ever on the flash drive and did not seem to infect the other media files, or my own.

Though I don't expect to encounter any unknown viruses soon, I was wondering if this would also be the correct forum for a user to report suspicious activity or a confirmed new virus?

[polonus]

Did you have the chance to remove the initial infectious file completely and utterly. I mean was the file shredded or contained in the chest?
Hope your MP3's not got infected and corrupted. Best to have your logs as mentioned here: http://forum.avast.com/index.php?topic=53253.0
and I will ask a qualified removal expert to look into this issue. When he calls in you have to follow his instructions to the dot,

polonus

P.S. I edit my initial reply here accordingly not to panick but to say that the infection could be rather serious, as WMA:WIMAD[drp] is such a dangerous threat because it compromises the infected computer through a backdoor, making this infection another form of Achilles's heel on the modern Internet, as the fake codec becomes installed the computer can be freely accessed by cybercriminals,

D

[Pondus]

if you have the file upload it to www.virustotal.com and test with 40+ malware scanners
when you have the result, post the scan link here for us to see

alternative
jotti.org
metascan-online.com


to see what the file does, upload to ThreatExpert or Norman and recive a sandbox analyse    http://www.threatexpert.com/submit.aspx      http://www.norman.com/security_center/security_tools/en-uk
you can post link to result here

[maverikentertainment]

I used the delete option contained in Avast, I do not know it's extent. I've checked all media files, I don't exactly have much of a collection as I use my laptop primarily for work and the only media aside of designs are a few regional band mp3's from my promotion work. Easily replaced. Scanned and no issues.

OTL Log is attached.

If I hadn't had been half asleep when it happened and in a hurry this morning I probably would've ran a boot-scan to be on the safe side. I'll be doing a FS later just in case.

[essexboy]

Hi it does not appear to have hit the windows system, these normally do not have an autorun element from a USB

No sign on the system within either new files or run keys 

[maverikentertainment]

Great, thanks for looking it over. I didn't notice anything either but I'm no expert :p

I just never know with these newer ones, I've had to deal with self replicating and rootkits for other people and in my younger years. So annoying.

Thanks for the help and I hope it was a little amusing. I should recreate the video's look and post a warning on youtube for the less educated.

[polonus]

Hi maverikenentertainment,

You are welcome. Good that could be ascertained once and for all. Let it be a lesson to your eager clicking cousin to think first and click later.
Thanks again for the heads-up on this very dangerous threat. If it could have saved a couple of victims from getting infected and getting compromised with it, we should and could  be grateful. Also welcome to the avast forums. Again thanks for your contribution, and stay safe and secure both offline and online,

polonus

[maverikentertainment]

Thanks again, and for once I actually followed through on an idea. So if you are interested here is my Youtube PSA on the matter :p

http://www.youtube.com/watch?v=6rUEnOMzNmg

When I was researching the virus I hadn't encountered any versions that had manifested like this, most were infected mp3's auto converting or asking for a codec with a system message/redirect. I assume the usual version when infecting video also uses a system message?

While it may seem an amateur and amusing method to me to use a CG for an original video equivalent, I'm sure there are a lot of users who don't know any better. Hope it helps someone too!

EDIT: Used wrong link, was in edit mode.