PandaLabs has detected a series of files being circulated across the Internet that supposedly contain music and videos, but also contain a poisonous gift: in order to get the videos and music, users must install adware. The excuse used is that a license is needed in order to play the files, which involves agreeing to install adware. The files received by PandaLabs up until now do not actually contain any type of video or music. However, this possibility has not been ruled out. These files are detected by Panda Software as WmaDownloader.B.
The problem starts when the user downloads an alleged video file (*.wmv) or de audio file (*.wma). When the user tries to run these files in order to view them on the computer, a window is displayed that prompts the user to acquire a license. The message explains that in order to get the free license, the user must install IST Toolbar, a known adware program that is used as an entry-point for many other threats.
Although users are warned that adware will be installed and gives the user the opportunity to read the license agreement, it is formulated in clearly abusive terms, and also exploits the fact that few users are aware of the impact that installing this spyware program can have on their computers, as this spyware allows many other threats to get into the system,
explains Luis Corrons, director of PandaLabs.
What’s more, it is important not to forget that in the samples received by PandaLabs, the system is even more fraudulent, as there is not even a video or music in the files.
When this message is displayed, the user is also asked to install an ActiveX Control, which is the IST Toolbar mentioned in this window. If users do not agree to install it, they will not be affected, but neither will they be able to play the video or audio file. If users agree to install it, the IST Toolbar (detected by Panda Software as ISTBar) will be downloaded, infecting the system and allowing the file to be played, if it exists. A window notifying users that they must acquire a license will also appear.
However, this might not always be the case, says Luis Corrons.
The warning about the installation of the ActiveX Control is not always displayed in computers with the security level configured as low, which could occur because the user has configured it in this way or because one of the many other malware specimens with this function has already affected the computer. For this reason it is extremely important to check the browser settings in order to neutralize installation of ActiveX Controls of dubious origin.
This process is only valid in computers with Windows Media Player 9 or later version installed.