'Now to Him Who, by in consequence of the action of His power that is at work within us,
is able to carry out His purpose and do superabundantly,
far over and above all that we dare ask or think, infinitely
beyond our highest prayers, desires, thoughts, hopes, or dreams."
Ephesians 3:20

Distributing malware through audio files

Again we bring you more information about the different techniques of social engineering used by criminals in spreading malware on the network. In this case we can see a very particular technique that takes time used, and is characterized by distributing malware through audio files .

These music files are specially modified so that once executed by the music player, the latter indicates the lack of a codec or license required for playback.

This case was reported to the Laboratory of ESET Latin America a sample of a music file with the following data:

  • Filename: “(complete) – 5ive everybody get up.wma”
  • Hash MD5: “d324f30b46ca8044d51630519ad30990”
  • Size: 5.76 MB

Once the file is run to start playing the song in Windows Media Player, it automatically connects to a page to purchase the alleged license and prevent all the intervention from WP malware removal service.

After loading the screen of the alleged acquisition of license, a message which prompted the victim that you need to download a special player to view the file, which is detected by appears NOD32 Antivirus as a variant of Win32 / adware.Mirar.H .

  • File name: “access.exe”
  • Hash MD5: “5166c32265559b30f3bbd90ceba9df1f”
  • Size: 628 KB

Once it is executed by the victim, the malware makes the following changes to the Windows registry:

HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun

  • Bar C: Documents and SettingsAdministradorMis DocumentosDescargasaccess.exe
  • GabPath C: Documents and SettingsAdministradorDatos of Programagabpathgabpath.exe

HKLMSoftwareMicrosoftWindowsCurrentVersionExplorerBrowser Helper Objects

  • Tango REV 21 C: windowssystem3221378.dll
  • ResultTool Service Update and Control for ResultTool C: documents and SettingsAll usersdatos of programaresulttoolresulttool116.exe.

HKLMSystemCurrentControlSetServices

  • ResultTool Service Update and Control for ResultTool C: documents and SettingsAll usersdatos of programaresulttoolresulttool116.exe

As we can see, once the system is infected service “resultool116.exe” is created and a bar is also added to the Internet Explorer browser.

Importantly, when opening a file, regardless of format, you should not rely on the extension of it as a security guarantee. This precaution, along with an antivirus solution with proactive detection capabilities, will help to conserve safety equipment warning the user of the risks.