Lame Malware Attempts To Stop Global Music Piracy
A new malware attempts to stop global music piracy, which incidentally seems to be on the rise lately because of the economic downturn.
It looks to have been written by some Indonesian script kiddies who seem to think that by infecting people’s computers they can stop piracy.
The malware attempts to use the Indonesian band Samsons and their song Naluri Lelaki to entice users to click on the file. The file itself comes with a Winamp icon on it, so it looks like a regular mp3 file to the user. When the file is clicked it modifies some registry entries related to WinLogon, so the victim’s computer displays the following message box before they can log onto their computers: “Stop pembajakan Musisi Dalam Negeri, Jangan Gunakan MP3 lagi (sok sok an) huahahahahaha!!!”. It can be loosely translated to: “Stop piracy Musician Affairs, Do not Use MP3 again (quasi quasi-an) huahahahahaha!”
The Trojan will copy itself onto any mp3s found on the victim’s computer (with the same name as the mp3 file and an appended “.exe” at the end), thus destroying all mp3 files on the system.
The Trojan will also shutdown Winamp as well as copy itself to the Windows folder on the victim’s computer. The following registry entry is created to run winamp.dll.exe on startup:
HKCUSoftwareMicrosoftWindowsCurrentVersionRun
ServiceOptionMP3
<Windows>winamp.dll.exe
The following registry entry is set, disabling the registry editor (regedit):
HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesSystem
DisableRegistryTools
1
Registry entries are set as follows:
HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesSystem
DisableRegedit
1HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer
NoFolderOptions
1HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogon
LegalNoticeCaption
STOP PIRACY!!!!HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogon
LegalNoticeText
Stop pembajakan Musisi Dalam Negeri, Jangan Gunakan MP3 lagi (sok sok an) huahahahahaha!!!
Credit: Prashant Kumar, SophosLabs
More on CyberInsecure:
Leave a Reply
Comments with unsolicited links to other resources will be marked as spam. DO NOT leave links in comments. Please leave your real email, it wont be published.