W32/Realor.worm – Infecting Movies for Fun and Profit

After Exploit-WMF and umpteen image file format exploits that followed, general computer users should understand that something not baring the file extension *.EXE
does not imply they are safe to view. Malware crafted out of document and media file formats are nothing new; nor are they a threat unique to Windows users. Before Word document 0-day’s made it into mainstream news headlines, there were text file exploits. More recently, there was Exploit-WinAmpPLS playing a spyware note; and a Microsoft security advistory for five critical Flash Player vulnerabilities today; as the music plays on.

Today, McAfee Avert Labs discovered W32/Realor.worm in the wild that was actively modifying all Real Media (*.rmvb) files in its path. These “infected” media files launch a malicious webpage without prompting, as they are being viewed by the user in Real media player. These files can be music or videos hosted on a network drive containing corporate presentations, a personal media server, or a P2P shared folder et cetera. When was the last time you hesitated in opening a movie file ?

As much as the new world of broadband multimedia presents new channels for entertainment and business opportunities, it is an attractive breeding ground for malware like any other popular application. Whether through a worm, using tools or hand-crafted, they are a penetration vector hard to resist for profiteering malware authors. McAfee Avert Labs recognises a rising trend in the manipulation of media files to embed or install malware. Heuristics and generic detection such as New Downloader.b
and Generic Downloader.bl are only some of the proactive measures to block such attempts. Internet users are advised to be precautious with sharing media files on a publicly writable folder or viewing media files from unknown sources — like you would with unsolicited e-mails and *.EXE files.