Daily cyber threats and internet security news: network security, online safety and latest security alerts
April 29th, 2008

ASF Files Are Used To Execute Malicious Scripts in Windows Media Player

A new attack uses ASF files opened in Windows Media Player to launch Internet Explorer which will then prompt you to download a malicious executable file.

The Microsoft ASF file format (and some other formats) allows creation of a script stream. The script stream can use certain, simple, script commands in Windows Media Player. The playing application that supports ASF is responsible for executing the script commands at the proper time.

The malicious ASF file that was analyzed opened Internet Explorer with the URL pointing to This web site had a further 302 redirect to (both links are still working, do not click), which is some adware and is detected by 20 out of 32 AV programs on VirusTotal.

While this attack is not sophisticated at all (and there is no real exploit here, just a “feature”), one thing that is worrying is the fact that this can be used to launch a browser on machines which are not patched, through Windows Media Player. And this also works with the latest Windows Media Player on Vista.

It is possible to disable this “feature” in Windows Media Player by modifying certain registry keys:

Open HKEY_CURRENT_USERSOFTWAREMicrosoftMediaPlayerPreferences

And change values to:

– PlayerScriptCommandsEnabled: 0 (disabled) – disabled as default

– WebScriptCommandsEnabled: 0 (disabled) – default is 1 (enabled)

– URLAndExitCommandsEnabled: 0 (disabled) – default is 1 (enabled)

More information is available at The keys might not exist and be very careful when changing anything in the registry.

Due to the recent attacks, the scripts are recommended to be disabled.

Share this item with others:

More on CyberInsecure:
  • Apple QuickTime Multiple Remote Vulnerabilities
  • Highly Critical Vulnerabilities In VLC Media Player
  • Microsoft Update Disables AutoRun On Older Windows
  • New Adobe Flash Vulnerability Exploited In Latest Mass SQL Injection Attack
  • Services Hit By Complex Attack, Server Breach Exposes Passwords

  • If you found this information useful, consider linking to it from your own website.
    Just copy and paste the code below into your website (Ctrl+C to copy)
    It will look like this: ASF Files Are Used To Execute Malicious Scripts in Windows Media Player

    Leave a Reply

    Comments with unsolicited links to other resources will be marked as spam. DO NOT leave links in comments. Please leave your real email, it wont be published.

    To prove you’re a person (not a spam script), type the security word shown in the picture. Click on the picture to hear an audio file of the word.