Rigged RealMedia Files Install Trojans
It is acknowledged that media files like videos or songs can be exploited to sneak in malware onto PCs. Now, it seems that virus authors are getting increasingly innovative. McAfee has presently found a flaw that accesses computers through manipulated RealMedia files, embedding itself into the system and affecting other Real videos. The anti-virus seller has named the worm W32/Realor.worm.
"W32/Realor.worm scrutinizes the affected computer for active RealMedia (.rmvb) files and launches a malevolent external link. When such [.rmvb] files are opened, the client's media player can insert an external Internet page bearing the worm and transfer it through the pre-configured browser (e.g. Internet Explorer)", describes the McAfee site.
Whenever a client sees a RealMedia file (.rmvb) that has been specifically devised this way, the file tries to access a site in the default browser. That site consecutively tries to abuse a security flaw in the Microsoft Data Access Components (MDAC), which by now has been repaired using a patch for Security Bulletin MS06-014, by Microsoft.
The worm placed during this practice, next looks for more RealMedia files and tries to build a connection through the site into these RealMedia files also. The worm executes that by setting up the usual command line devices from Real Helix Producers to change the rmvb files on the machines.
"This site was harboring a variation of Exploit-MS06-014 which can set up W32/Lewor.a on computers exposed to this abuse. Though this website may just be exhibiting an innocuous flaw message, but it surreptitiously installs the worm and a concealed IFRAME element", McAfee stated.
"W32/Lewor.a is a freeloading file infective agent that can traverse USB memory device, network drives, common folders and QQ's instant messaging. It has a downloader element that fixes further malware on the affected computer."
McAfee has categorized Realor's danger potential as little. Clients should, however, handle multimedia files with as much care as they do with workable files. Obscene data from file transaction or Websites are becoming favored medium for virus authors, because clients seem to shed all reserve about installing unidentified programs, especially when it pertains to such subjects.
Related article: Rigid Security Measures Induce Spammers to Outsource their Work
» SPAMfighter News - 18-11-2006