View Full Version : wmp12 security exploit?

15-10-2010, 03:51 PM
I have found that a wmv video played in wmp12 can, when opened, display a message box:
"Windows Media Player cannot play the protected file because a security upgrade is required. Do you want to download the security upgrade?"
The box gives no information about the security upgrade or any other information until I click "yes", then another box appears saying:
"The file or device that you are trying to use requires a component of windows media player to be upgraded.
Click upgrade to download and install the required component"
A link to the wmp12 privacy statement (http://windows.microsoft.com/en-gb/windows7/windows-media-player-12-privacy-statement?locale=409&geoid=b7&version=12.0.7600.16 667&userlocale=1409) online is displayed in the box.
When I click the download button in the box, another box appears with a download progress bar and it simply says "downloading" with no more information, though a working "cancel" button is in the box.

Once downloaded, wmp12 says it's downloading media usage rights information. Then it shows a terms and conditions box which APPEARS to be from divx.
There is "divx" link, which goes here. (http://divcrypt.com/)
When the accept button is clicked a file is automatically downloaded and opened and then MSSE (latest version) shows trojan found.
Screenshot of msse history (http://imgur.com/yprh3)
Trojan:Win32/Meredrop (http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?name=Trojan%3aWin32%2fMeredrop&threatid =2147575279)

A terms-of-use type box appears with very breif terms and conditions. The background of the box has a logo very similar if not exactly the same as the divx logo. I would like to have taken screenshots of the whole thing, but as the initial download in wmp12 has already been downloaded, when the wmv file is opened again, wmp12 goes straight to 'downloading media usage rights' and the process continues again from there as above, so i can't recreate what happened unless I can somehow reinstall wmp12 or remove whatever it initially downloaded.

This was done on a freshly formatted win7x64 with the latest version of msse and all windows updates.

Does anyone know how I can get rid of whatever is already on my computer?
MSSE picked up the trojan fine so I'm more worried about the first file.

15-10-2010, 04:13 PM
Long story short, it was likely a pirated video file.

Had a customer bring me a similar issue when they were trying to download Heroes (TV Series) back in the day off the internet.

Try Trojan Remover. The actual file is totally a fake and doesn't contain any video information at all, it's purely designed to get you to install their dodgy software.

...don't do torrents ;)

Speedy Gonzales
15-10-2010, 04:17 PM
TR MAY work, but not all of its options are compatible with x64

15-10-2010, 04:18 PM
that was my theory too... thanks... but shouldnt microsoft do something about this? because torrent or not, it can still be done as easy as sending someone a video file, so anyone could make a malicious video like this and distribute it, no?

Speedy Gonzales
15-10-2010, 04:19 PM
Thats probably its intention

15-10-2010, 04:26 PM
Usually, any Legit security or upgrades are in the windows updates.

Sometimes they will be in the Optional updates, Example KB976422 (http://www.imagef1.net.nz/files/KB.jpg)

15-10-2010, 09:49 PM
Nope. Nothing Microsoft can do. It's technically a feature, it enables you to install support for codecs your OS doesn't know about, which has it's merits, but just a poor implementation...