ASF Files Are Used To Execute Malicious Scripts in Windows Media Player
A new attack uses ASF files opened in Windows Media Player to launch Internet Explorer which will then prompt you to download a malicious executable file.
The Microsoft ASF file format (and some other formats) allows creation of a script stream. The script stream can use certain, simple, script commands in Windows Media Player. The playing application that supports ASF is responsible for executing the script commands at the proper time.
The malicious ASF file that was analyzed opened Internet Explorer with the URL pointing to www.fastmp3player.com/affiliates/772465/1/?embedded=false. This web site had a further 302 redirect to www.fastmp3player.com/affiliates/772465/1/PLAY_MP3.exe (both links are still working, do not click), which is some adware and is detected by 20 out of 32 AV programs on VirusTotal.
While this attack is not sophisticated at all (and there is no real exploit here, just a “feature”), one thing that is worrying is the fact that this can be used to launch a browser on machines which are not patched, through Windows Media Player. And this also works with the latest Windows Media Player on Vista.
It is possible to disable this “feature” in Windows Media Player by modifying certain registry keys:
Open HKEY_CURRENT_USERSOFTWAREMicrosoftMediaPlayerPreferences
And change values to:
– PlayerScriptCommandsEnabled: 0 (disabled) – disabled as default
– WebScriptCommandsEnabled: 0 (disabled) – default is 1 (enabled)
– URLAndExitCommandsEnabled: 0 (disabled) – default is 1 (enabled)
More information is available at http://support.microsoft.com/kb/320944. The keys might not exist and be very careful when changing anything in the registry.
Due to the recent attacks, the scripts are recommended to be disabled.
More on CyberInsecure:
Posts
Leave a Reply
Comments with unsolicited links to other resources will be marked as spam. DO NOT leave links in comments. Please leave your real email, it wont be published.