It's a danger to Windows users who download music files on P2P networks

A new kind of malicious software could pose a danger to Windows users who download music files on peer-to-peer networks.

The new malware inserts links to dangerous Web pages within ASF (Advanced Systems Format) media files.

"The possibility of this has been known for a little while, but this is the first time we've seen it done," said David Emm, senior technology consultant for security vendor Kaspersky Lab.

ASF is a Microsoft-definedcontainer format for audio and video streams that can also holdarbitrary content such as images or links to Web resources.

If a user plays an infected music file, it will launch Internet Explorer and load a malicious Web page that asks the user to download a codec, a well-known trick to get someone to download malware.

The actual download is not a codec but a Trojan horse, which installs aproxy program on the PC, Emm said. The proxy program allows hackers toroute other traffic through the compromised PC, helping the hackeressentially cover their tracks for other malicious activity, he said.

The malware has worm-like qualities. Once on a PC, it looks for MP3 orMP2 audio files, transcodes them to Microsoft's Windows Media Audioformat, wraps them in an ASF container and adds links to further copiesof the malware, in the guise of a codec, according to another securityfirm, Secure Computing Corp.

The ".mp3" extension of the files is not modified, however, so victimsmay not immediately notice the change, according to Kaspersky Lab.

Most savvy PC users are aware of the codec ruse, but the style ofattack is still effective since many media players need to receiveupdated codecs occasionally in order to play files.

"Usersdownloading from P2P networks need to exercise caution anyway, butshould also be sensitive to pop-ups appearing upon playing a downloadedvideo or audio stream," Secure Computing said.

Users on a digital audio enthusiast site differed over the danger level of the malware.

"I never allow programs to choose which codecs I use to play back media," wrote JXL on the Hydrogen Audio forum."I research it and get the codec bundles off of sites I know to betrustworthy, and even then I still scan them and check to make surethey are what they are. I honestly don't feel that this malware has avery good chance of spreading fast."

But most users willprobably think the prompt to download a codec is just routine business,wrote a user by the nickname of Citay on the same forum.

"Ithink that outside a minority of users who really know about all thedangers implied with Internet use, the vast majority of people have noidea that such a codec download could lead to a Trojan infection,"Citay wrote.

Trend Micro calls the malware "Troj_Medpinch.a,"Secure Computing named it "Trojan.ASF.Hijacker.gen" and Kaspersky callsit "Worm.Win32.GetCodec.a."