RealMedia files smuggle in trojans

It is well known that media files such as videos or songs can be used to smuggle malicious code onto computers. That said, it appears that virus writers are getting more and more creative. McAfee has now discovered a bug that penetrates systems using rigged RealMedia files, integrating itself into the system and infecting other Real videos. The antivirus vendor has dubbed the worm W32/Realor.worm.

When a users view a RealMedia file (*.rmvb) that has been specially prepared in this way, the file attempts to open a website in the default browser. That website in turn attempts to exploit a security hole in the Microsoft Data Access Components (MDAC), one that has already been closed by Microsoft with the patch for Security Bulletin MS06-014. Realor, the worm installed in this process, then searches for further RealMedia files and attempts to build a link to the website into them as well. The worm does so by installing regular command line tools from Real Helix Producers to modify the rmvb files on the computer.

F-Secure has in the meantime reported in its blog that the company's virus researchers frequently encounter pornographic material on the internet presented as DRM protected files whose licence requires the installation of a codec. That codec is in fact a front for variants of the Zlob trojan downloader.

McAfee has classified Realor's risk assessment as low. Users should nevertheless exercise the same caution with multimedia files that they do with executable files. Pornographic material from file exchange or internet sites are becoming preferred vehicles for virus writers, since users appear to lose all inhibitions about installing unknown software when it comes to such topics.

See also:

• W32/Realor.worm, virus description from McAfee
• Codec No. 107, report on Zlob variants from F-Secure

(ehe)