Wednesday, February 4, 2009

Trojan GetCodec/Brisv Comes Back Again

A few months old trojan Brisv that infects multimedia files has struck again with no apparent reason, as reported by our customers.

The trojan enumerates local and mapped network drives looking for the files with the extensions ASF, WMV, WMA, MP2, MP3. It will then infect the located files by injecting malicious script that instructs the media player to pop up default browser window and navigate it to the malicious web site isvbr.net, which in turn, redirects to a different URL: www.play-error.com:



When the media player plays back an infected file (on a test system, after about 10 seconds of the playback), the browser window pops up and the player stops playing the file, as shown below:



The web site the user is redirected to can be variable and may host any kind of malware. At this time of writing, isvbr.net redirects to www.play-error.com:



The traffic generated during the playback of the infected multimedia file is shown below:



To see the list of system changes, please check ThreatExpert report here.

Should you need to quickly scan your system and/or desinfect the infected multimedia files, please run the fixtool from this location.