A few months old trojan Brisv that infects multimedia files has struck again with no apparent reason, as reported by our customers.
The trojan enumerates local and mapped network drives looking for the files with the extensions ASF, WMV, WMA, MP2, MP3. It will then infect the located files by injecting malicious script that instructs the media player to pop up default browser window and navigate it to the malicious web site isvbr.net, which in turn, redirects to a different URL: www.play-error.com:
When the media player plays back an infected file (on a test system, after about 10 seconds of the playback), the browser window pops up and the player stops playing the file, as shown below:
The web site the user is redirected to can be variable and may host any kind of malware. At this time of writing, isvbr.net redirects to www.play-error.com:
The traffic generated during the playback of the infected multimedia file is shown below:
To see the list of system changes, please check ThreatExpert report here.
Should you need to quickly scan your system and/or desinfect the infected multimedia files, please run the fixtool from this location.
Related Posts
- Trojan GetCodec/Brisv Comes Back Again
A few months old trojan Brisv that infects multimedia files has struck again with no apparent reason, as reported by our customers.The trojan enumerates local and mapped network drives looking for the... - DHL tracking emails are back with new trojan variants
Since a few days, MX Lab is intercepting a new trojan variant in emails regarding a DHL delivery. The email coms from the spoofed address DHL Parcel Support <help.id990@dhl.com>.
Common subjects... - “Download photoalbum” another variant of “i got u surprise”
Previously we have written about the "i got u surprise" spam trojan on Facebook. And today, we still discovered another variant. This time, the message that is received by the victim is only "u?" and ... - The SMSer Trojan returns as fake browser
We have seen many fake security products and fake disk utilities targeting the windows platform. Of late, we have started observing an increasing trend in mobile platform too. Following on the heels o... - Fake AV? We are not amused
The Royal Wedding is going to spring into action on the 29th April, and Fake AV scans are starting to show up in relation to the "Big Day". As a result, you might want to think twice before looking fo... - Lab Matters – Dissecting the Banking Malware Problem
Kaspersky Lab malware researcher Vicente Diaz joins the Lab Matters webcast to discuss the banking malware epidemic in Europe and offer suggestions for consumers doing business on the Web.... - New Android.Spy modification turns smart phones into zombies
Doctor Web-the Russian anti-virus vendor-unveils the discovery of a malicious program belonging to the Android Spy family. The malware poses a threat to owners of Android smart phones. Once the Trojan... - “Facebook Support. Your password has been changed!” contains trojan
MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “Facebook Support. Your password has been changed! ID09687″. Note that the nu... - Video – “Windows Activation” Ransom Trojan
We recently came across a ransom trojan that prompts the following:"Windows license locked!"The trojan claims that "you should complete activation" and provides several phones numbers.The numb... - “United Parcel Service notification 48161” from UPS contains trojan
MX Lab, http://www.mxlab.eu, started to intercept a new trojan variant distribution campaign by email with the subject “United Parcel Service notification 48161”, where the number in the subject may v...
Posted on 09 February 2011. Tags: again, Back, comes, GetCodec/Brisv, Trojan
