“Just when you thought it was safe to go back in the water…”
Over the past week, Symantec has been observing an increasing number of computers affected by Trojan.Brisv.A. This particular Trojan infects .asf, .mp2, .mp3, .wma, and .wmv movie and music files with malicious code that causes Microsoft Windows Media Player to access a malicious URL when the files are played, which results in more malware being downloaded on to the compromised computer.
In a further twist to the Trojan’s payload, all .mp2 and .mp3 files found on the computer are converted to the Windows Media Audio (WMA) format. This creates problems for security researchers writing software to remove the infected code from the files and restore them to their previous states. It is difficult to ascertain which files contain legitimate Digital Rights Management code and which ones have been modified by the Trojan, which makes the cleanup that much more challenging.
With people increasingly choosing to keep their music collections on their computers—often not backed up due to the size of the libraries—the impact of this threat is significant. The authors of this threat disregard the problems that modifying users’ media files may cause, focusing only on their primary goal: to install more malware on to the computer.
The impact of the Trojan has been further magnified by the appearance of infected movie and music files on file-sharing networks. In many cases, users will be unaware that their media files have been infected and may continue to share them—legally or illegally—causing further dissemination of the threat.
Symantec security products block this threat, which is detected as Trojan.Brisv.A. Infected media files are detected as Trojan.Brisv.A!inf. Users are urged to ensure that their virus definitions are kept up-to-date to protect against possible future variants of this threat.
Symantec has produced a tool to remove the Trojan and clean the infected media files, which is available here. Users should be aware that although the tool is able to remove the Trojan and repair infected media files, it won’t prevent re-infection.
Thanks to my Security Response colleague Irfan Asrar for his help researching this entry.