Trojan in Windows Media Player

  • Thread starter Thread starter Terry D
  • Start date Start date
T

Terry D

I received a Windows Security update CD this morning (requested by me 10
days ago). During installation, I received virus detection alerts from
AVG - 'Trojan Horse downloader.small.5.Y' in C:\Windows\WMPlayer.exe and
also in C:\Program Files\Windows Media Player\WMPLAYER.EXE. AVG wouldn't
remove these files and I abandoned the install. Is this just a coincidence,
as I haven't used Media Player for several days. My computer was now acting
strangely, with weird pop-ups. BTW, I'm using Windows 98SE.

I now could no longer use Media Player, so I tried Panda free virus scan,
which detected and removed a virus called Tri/Bris from C:\Program
Files\Windows Media Player\WMPLAYER.EXE.

I then attempted to uninstall Media Player via Control Panel but only
succeeded in reverting to an earlier version. I then retried the Microsoft
Security Update CD, which was successful this time - I'm now back to Media
Player version 9 and everything else seems to be working OK.

Questions

Could the Trojan have been in Media Player before I used the CD?
Have I cured the problem?
What harm has it done?
What other steps should I take?

Terry D.
 
Not sure, but when installing any major program, your antivirus should
normally be shut down so as not to interfere with the install.
It sounds as if the virus was already there and when the MS CD activated the
folder it was in, AVG alerted to it.
Perhaps it is an AVG problem.
Use your antivirus first before doing an install and also empty out your
Recycled Bin, Windows\Temp and TIF before hand.
Then do the install.
 
Not sure, but when installing any major program, your antivirus should
normally be shut down so as not to interfere with the install.
It sounds as if the virus was already there and when the MS CD
activated the folder it was in, AVG alerted to it.
Perhaps it is an AVG problem.
Use your antivirus first before doing an install and also empty out
your Recycled Bin, Windows\Temp and TIF before hand.
Then do the install.
Click to expand...

I think you are correct in that the virus was already there before
attempting the install. I did subsequently attempt installation after using
the virus checker and emptying all folders as you suggested. After
reverting to an earlier version of Windows Media Player using Control Panel
Add/Remove Programs. I then successfully reinstalled everything using the
Microsoft CD. All now seems to be working, possibly now faster than before,
but how did this Trojan gain access since I have AVG, ZoneAlarm, and
regularly use AdAware, Spybot Search and EasyClean, all of which are
regularly updated. I wonder if Microsoft are aware of this problem.

Terry D.
 
Buffalo said:
Not sure, but when installing any major program, your antivirus should
normally be shut down so as not to interfere with the install.
Click to expand...

yes, because you wouldn't want to interfere with the installation of a
possible virus...

the "shut down your anti-virus before installing software" is a myth
promoted by monumentally inept software developers...
 
Terry D said:
I received a Windows Security update CD this morning (requested by me 10
days ago). During installation, I received virus detection alerts from
AVG - 'Trojan Horse downloader.small.5.Y' in C:\Windows\WMPlayer.exe and
also in C:\Program Files\Windows Media Player\WMPLAYER.EXE. AVG wouldn't
remove these files and I abandoned the install. Is this just a coincidence,
as I haven't used Media Player for several days. My computer was now acting
strangely, with weird pop-ups. BTW, I'm using Windows 98SE.

I now could no longer use Media Player, so I tried Panda free virus scan,
which detected and removed a virus called Tri/Bris from C:\Program
Files\Windows Media Player\WMPLAYER.EXE.

I then attempted to uninstall Media Player via Control Panel but only
succeeded in reverting to an earlier version. I then retried the Microsoft
Security Update CD, which was successful this time - I'm now back to Media
Player version 9 and everything else seems to be working OK.

Questions

Could the Trojan have been in Media Player before I used the CD?
Have I cured the problem?
What harm has it done?
What other steps should I take?
Click to expand...

It *might* have been the Wallon worm.

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_WALLON.A

It overwrites the file wmplayer.exe.
 
kurt wismer said:
yes, because you wouldn't want to interfere with the installation of a
possible virus...

the "shut down your anti-virus before installing software" is a myth
promoted by monumentally inept software developers...

--
"we're the first ones to starve, we're the first ones to die
the first ones in line for that pie in the sky
and we're always the last when the cream is shared out
for the worker is working when the fat cat's about"
Click to expand...

Quit whining and read up and educate yourself.
 
Buffalo said:
Quit whining and read up and educate yourself.
Click to expand...

and what makes you think i'm not sufficiently educated enough to make
the assertion i've made?
 
yes, because you wouldn't want to interfere with the installation of a
possible virus...

the "shut down your anti-virus before installing software" is a myth
promoted by monumentally inept software developers...
Click to expand...

Exactly right.

-Prior to installation, one wants a backup of his system and the activation
of "total uninstall", or other software that inventories his box and
registry.

-During installation, one wants his AV running at Max; his
AT at Max; and his process/behavior monitor at max.

-After installation, one wants to carefully read the "total uninstall"
report. Better than total uninstall would be a program that runs a crc.

Imagine - shutting these things down when you need them the most -
your computer is most vulnerable when installing new software!:-)
 
kurt wismer said:
and what makes you think i'm not sufficiently educated enough to make
the assertion i've made?
Click to expand...

Because of your statements:

"yes, because you wouldn't want to interfere with the installation of a
possible virus..."

and

"the "shut down your anti-virus before installing software" is a myth
promoted by monumentally inept software developers..."

How did you ever come to that conclusion?

Either way, enjoy your weekend.
:-)
 
Tom Swift said:
Exactly right.

-Prior to installation, one wants a backup of his system and the activation
of "total uninstall", or other software that inventories his box and
registry.

-During installation, one wants his AV running at Max; his
AT at Max; and his process/behavior monitor at max.

-After installation, one wants to carefully read the "total uninstall"
report. Better than total uninstall would be a program that runs a crc.

Imagine - shutting these things down when you need them the most -
your computer is most vulnerable when installing new software!:-)
Click to expand...

You've got to be kidding.

When installing any major software, you should have as little running as
possible so that there are less files and in use that may interfere with a
proper and complete install of the new software.
I do agree, however, with using an Install-Uninstall monitor such as the
free program TotalUninstall.
Just a few years ago, you had to go into your BIOS to disable your Boot
Antivirus before you could install Win95-98 or any other major program or
you would get a mess.
You continue to do it your way, and I'll do it my way.
Happy installs.
Buffalo
 
"Windows Media Player, by default, supports a dangerous feature that allows
scripting to be embedded within media files. WMP will then execute the
scripting when the media file is played."
It may need to be activated , such as it was by the MS , to be picked up by
AVG.
Another anti-virus program may or may not have picked it up earlier, I don't
know.
Check this link:
http://www.javacoolsoftware.com/wmpscriptingfix.html
 
Buffalo said:
Because of your statements:

"yes, because you wouldn't want to interfere with the installation of a
possible virus..."

and

"the "shut down your anti-virus before installing software" is a myth
promoted by monumentally inept software developers..."

How did you ever come to that conclusion?

Either way, enjoy your weekend.
:-)
Click to expand...

Incidently, it is widely known that firewall software can interfere
with the installation of remote access server trojan installers too.
One should always shut off their firewall when installing malware
so that such interference is kept to a minimum.
 
FromTheRafters said:
Incidently, it is widely known that firewall software can interfere
with the installation of remote access server trojan installers too.
One should always shut off their firewall when installing malware
so that such interference is kept to a minimum.
Click to expand...

Yeah, right!
When installing any major program, you should be disconnected from the
Internet, FireWall turned off , AntiVirus turned off, etc.
Enjoy your weekend. :-)
 
Buffalo said:
Because of your statements:

"yes, because you wouldn't want to interfere with the installation of a
possible virus..."
Click to expand...

which was rhetorical...
and

"the "shut down your anti-virus before installing software" is a myth
promoted by monumentally inept software developers..."
Click to expand...

which was factual...
How did you ever come to that conclusion?
Click to expand...

by developing an understanding of infection vectors... an application
installer is new software whose trustworthiness cannot necessarily be
determined by casual inspection - the same is true for the application
it contains... viruses and other malware can be and have been
distributed in application software - sometimes by accident, sometimes
not...

since the installer and the application it contains both are executable
content capable of carrying a virus, it makes sense to leave your
on-access scanner active while installing to catch potential viruses
either of them might contain... if the scanner interrupts the
installation because of a real virus, that's a good thing... if it does
so because of a false alarm, there should still be some means of
recourse to undo the botched install... if false alarms happen more
often than true alarms you should consider getting a different
anti-virus product...
Either way, enjoy your weekend.
:-)
Click to expand...

done... thanks...
 
kurt wismer said:
which was rhetorical...


which was factual...


by developing an understanding of infection vectors... an application
installer is new software whose trustworthiness cannot necessarily be
determined by casual inspection - the same is true for the application
it contains... viruses and other malware can be and have been
distributed in application software - sometimes by accident, sometimes
not...

since the installer and the application it contains both are executable
content capable of carrying a virus, it makes sense to leave your
on-access scanner active while installing to catch potential viruses
either of them might contain... if the scanner interrupts the
installation because of a real virus, that's a good thing... if it does
so because of a false alarm, there should still be some means of
recourse to undo the botched install... if false alarms happen more
often than true alarms you should consider getting a different
anti-virus product...

BS


done... thanks...

--
"we're the first ones to starve, we're the first ones to die
the first ones in line for that pie in the sky
and we're always the last when the cream is shared out
for the worker is working when the fat cat's about"
Click to expand...
 
Back
Top