1. Symantec-Broadcom-Horizontal/
  2. Security Response/
  3. Attack Signatures/
  4. HTTP Mediasups Activity

HTTP Mediasups Activity

Severity: High

This attack could pose a serious security threat. You should take immediate action to stop any damage or prevent further damage from happening.


This signature detects W32.Mediausups activities

Additional Information

When W32.Mediasups is executed, it performs the following actions:

1. Creates the following files:

* %UserProfile%\Local Settings\Temp\wowexec.tmp - detected as Trojan Horse
* %UserProfile%\Local Settings\Temp\MediaSups.exe
* %UserProfile%\Local Settings\Temp\[RANDOM 8 CHARACTER].sys

Note: %UserProfile% is a variable that refers to the current user's profile folder. By default, this is C:\Documents and Settings\[CURRENT USER] (Windows NT/2000/XP).

2. Adds the value:

"NextInstance" = "1"

to the registry subkey:

3. Adds the values:

"Class" = "LegacyDriver"
"ClassGUID" = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
"ConfigFlags" = "0"
"DeviceDesc" = "MicroSoft Media Services"
"Legacy" = "1"
"Service" = "MediaDrver"
"*NewlyCreated*" = "0"
"ActiveService" = "MediaDrver"

to the registry subkey:

4. Adds the values:

"DisplayName" = "MicroSoft Media Services"
"ErrorControl" = "1"
"ImagePath" = "\??\C:\DOCUME~1\[USERNAME]\LOCALS~1\Temp\[RANDOM 8 CHARACTER].sys"
"Start" = "3"
"Type" = "1"
"0" = "Root\\LEGACY_MEDIADRVER\\0000"
"Count" = "1"
"NextInstance" = "1"
"Security" = "[HEX DATA]"

to the registry subkey:


5. Attempts to spread by infecting executable files on the compromised computer and network drives.

Note: If an infected file is executed, it may overwrite other executable files with itself rendering overwritten files unrepairable.

6. Creates a service with the following characteristics to run the %UserProfile%\Local Settings\Temp\[RANDOM 8 CHARACTER].sys file:

Service Name: MediaDrver
Display Name: MicroSoft Media Services

7. Attempts to contact the following URLs:

* [http://]www.ac86.cn/88/inde[REMOVED]
* [http://]update.ppandora.com/2/updat[REMOVED]
* [http://]www.ac86.cn/88/down/dow[REMOVED]

8. Attempts to run the file wowexec.tmp. This file triggers Microsoft's Dr.Watson program and crashes.

9. May open up a connection to a remote server and download additional files.

10. May also spread through network shares.
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube