Trojan.asf.gen
Summary
This detection identifies video files that have been intentionally corrupted. When launched, instead of displaying the video, a message is displayed that prompts the user to download an additional file to "resolve video playback issues". If the user does so, a malicious file is downloaded.
Removal
Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.
A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:
-
Check for the latest database updates
First check if your F-Secure security program is using the latest updates, then try scanning the file again.
-
Submit a sample
After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.
Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.
-
Exclude a file from further scanning
If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.
Note: You need administrative rights to change the settings.
Technical Details
The video files identified by this detection are typically in the WMV video format and are distributed in ZIP archive files. The videos themselves appear to be pirated copies of current popular movies or television series, with their filenames indicating the movie or series.
Downloading malware
When the file is launched using Windows Media Player, an image of a message box entitled "Media Usage Rights Acquisition" is displayed. Note that it is not an actual message box - it is an image with two buttons, "Download Fix" and "Web Help".
The text shown in the image is designed to make the user believe that a codec is missing from their machine, and that the necessary file must be downloaded to "resolve video playback issues". If the "Download Fix" button is clicked, a file is downloaded from a remote server. The downloaded file is malware, typically a trojan.
Social engineering
This tactic of using a desirable file that appears to require an "additional component" in order to be properly viewed is an old but effective social engineering ploy to trick users into unwittingly downloading malware onto their own machines.
An example of an older malware that uses the same technique is Trojan-Downloader:OSX/DNSChanger.