Much in the same vein of worms that were released to “patch” systems, there is now a trojan that attacks malware. We saw this type of behaviour back in February 2004 with the Welchia worm that searched out systems and patched them with the Microsoft patch for the DCOM RPC vulnerability which was leveraged by the Blaster worm. Example:
W32.Welchia.Worm does the following:
* Attempts to download the DCOM RPC patch from Microsoft’s Windows Update Web site, install it, and then restart the computer
* Checks for active machines to infect by sending an ICMP echo request, or PING, which will result in increased ICMP traffic
* Attempts to remove W32.Blaster.Worm
This new trojan, according to the Techworld article, attempts to protect systems from malware delivered primarily from P2P networks. The new trojan dubbed Erazer-A by the folks at Sophos checks default directory structures for “downloading MP3, AVI, MPEG, WMV, Gif, Zip graphic and video files, and wipes anything it finds with these extensions in the target locations.” The thought held by Sophos is that the trojan is attempting to protect the system. I have a much different view of this application. Let’s examine the extensions that is searching for and deleting.
MP3 = The name of the file extension and also the name of the type of file for MPEG, audio layer 3. Layer 3 is one of three coding schemes (layer 1, layer 2 and layer 3) for the compression of audio signals. Used most commonly for music files.
AVI = Short for Audio Video Interleave, the file format for Microsoft’s Video for Windows standard.
MPEG = Short for Moving Picture Experts Group, and pronounced m-peg, a working group of ISO. The term also refers to the family of digital video compression standards and file formats developed by the group.
WMV = Windows Media Video (.wmv) files are Advanced Systems Format (.asf) files that include audio, video, or both compressed with Windows Media Audio (WMA) and Windows Media Video (WMV) codecs.
GIF = Pronounced jiff or giff (hard g) stands for graphics interchange format, a bit-mapped graphics file format used by the World Wide Web, CompuServe and many BBSs. GIF supports color and various resolutions.
ZIP= A popular data compression format. Files that have been compressed with the ZIP format are called ZIP files and usually end with a.ZIP extension.
OK, so we have here a list of primarily dealing with music and video content. These are files that can be used to potentially deliver malcode. However, this does not in anyway shape or form look like it has the best interests of the user in mind.
The catch is that the program also attempts to subvert certain security programs to aid its activities, which opens the user to a more general risk of infection or program instability. It also appears to steal information.
I would hazard that this appears to have the hallmarks of a RIAA or MPAA style program. The reason I say that is because we have seen information about RIAA allegedly involved in writing worms such as found on the Virus Bulletin site from 2003. I think that the antivirus community should take a very hard second look at this trojan.
[tags]Trojan, RIAA, Erazer, Malware, Welchia[/tags]