††† Yesterday morning we received a sample from Cuba
of a malware that looks for the following audio and video file
extensions after infecting a victimís machine: .mp3, .mp4, .mpg,
.avi, .mkv, .vob, .dat, .rmvb, .flv, .wav
Once the files are found, the malware overwrites them with a generic
mp3 track that you may listen to here
†† †Itís a locally refurbished version, probably in
the same country mentioned above, targeting mainly Spanish-speaking
users. Itís written in Delphi and according to the timestamp, it was
compiled on September 10, 2013. There is a message intentionally
left in the code:
!!!MUNDO DEL SILENCIO REALIZADO!!!
Si no puedes escuchar, no puedes hablar, si no puedes hablar
ni escuchar, entonces el mundo quedara en silencio.
Translation: World of Achieved Silence!
If you canít listen, you canít speak, if you canít speak nor
listen then the world will remain in silence.
†† †There is another hidden functionality to this
malware- it spies the victimsí machines. It steals information from
the clipboard, makes screenshots and registers all keystrokes from
the keyboard of the victim. Given this concealed function, the
malwareís initial act of overwriting the audio and video files is
probably just a distraction from its true purpose. †
The sample propagates via USB devices by enumerating the disks and
making a copy of itself on them.
The sample was initially detected by KSN technology some time ago and
now itís also detected via regular updates as Trojan.Win32.Malex.af
You may follow me on twitter @dimitribest