This threat may be downloaded through file-sharing programs. Subsequent Symantec security product alerts may occur if the user downloads further files infected with Trojan.Brisv.A!inf
Once executed, the Trojan creates the following registry subkey:
It then modifies the following registry entries to alter Windows Media Player settings:
- HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences\"URLAndExitCommandsEnabled" = "0"
- HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Player\Extensions\.mp3\"Permissions" = "21"
It then creates the following mutex so that only one instance of the Trojan is running on the compromised computer:
Next, the Trojan searches the compromised computer for media files with the following extensions, which it then infects:Note:
The Trojan converts files with the following extensions to the WMA format:
When opened in Windows Media Player the infected files cause the program to connect to a malicious URL which may result in more malware being downloaded on to the compromised computer.
Media files infected by Trojan.Brisv.A are increased by 1,138 bytes in size and are detected as Trojan.Brisv.A!inf
Symantec antivirus products will display the following alert when the Trojan is detected:
Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":