The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service. Internet threat level: 1

Multimedia overwriter with Spy features

Dmitry Bestuzhev
Kaspersky Lab Expert
Posted November 21, 18:32  GMT
Tags: Identity Theft, Malware Technologies, Keyloggers, Passwords, Privacy

††† Yesterday morning we received a sample from Cuba of a malware that looks for the following audio and video file extensions after infecting a victimís machine: .mp3, .mp4, .mpg, .avi, .mkv, .vob, .dat, .rmvb, .flv, .wav

Once the files are found, the malware overwrites them with a generic mp3 track that you may listen to here.

†† †Itís a locally refurbished version, probably in the same country mentioned above, targeting mainly Spanish-speaking users. Itís written in Delphi and according to the timestamp, it was compiled on September 10, 2013. There is a message intentionally left in the code:

Si no puedes escuchar, no puedes hablar, si no puedes hablar ni escuchar, entonces el mundo quedara en silencio.

Translation: World of Achieved Silence!
If you canít listen, you canít speak, if you canít speak nor listen then the world will remain in silence.

†† †There is another hidden functionality to this malware- it spies the victimsí machines. It steals information from the clipboard, makes screenshots and registers all keystrokes from the keyboard of the victim. Given this concealed function, the malwareís initial act of overwriting the audio and video files is probably just a distraction from its true purpose. †

The sample propagates via USB devices by enumerating the disks and making a copy of itself on them.

The sample was initially detected by KSN technology some time ago and now itís also detected via regular updates as Trojan.Win32.Malex.af

You may follow me on twitter @dimitribest



2013 Nov 22, 23:14

ref : media overwriter

The sly dogs hey,
overwriting your media files while all the time
they are actually dropping spy crap and loggers on your computer,
however what i find most peculiar is the stupid sound file that it overwrites them with, other than to take your attention away from the real reason "SPYING", i have to ask WHY,
It just doesnt make any sense at all to do that, but hey i aint no trained shrink, so only one of them could tell you WHY they would put such a daft sound there instead,
Does it belong to a game or sound bank, you know its just baffled me that has.
Cheers anyway Dmitry Bestuzhev
Very Intresting and somewhat strange article
Thank You

If you would like to comment on this article you must first

Bookmark and Share