Stupid way to end piracy

Here in SophosLabs, we are quite used to seeing popular musician’s images and names being used to spread malware.

But this piece of malware I saw today attempts to stop global music piracy, which incidentally seems to be on the rise lately because of the economic downturn.

It looks to have been written by some Indonesian script kiddies who seem to think that by infecting people’s computers they can stop piracy.

The malware  attempts to use the Indonesian band Samsons and their song Naluri Lelaki to entice users to click on the file. The file itself comes with a Winamp icon on it, so it looks like a regular mp3 file to the user. When the file is clicked it modifies some registry entries related to WinLogon, so the victim’s computer displays the following message box before they can log onto their computers:

"Stop pembajakan Musisi Dalam Negeri, Jangan Gunakan MP3 lagi (sok sok an) huahahahahaha!!!"

Loosely translated to:

"Stop piracy Musician Affairs, Do not Use MP3 again (quasi quasi-an) huahahahahaha!"

The Trojan will copy itself onto any mp3s found on the victim’s computer (with the same name as the mp3 file and an appended “.exe” at the end), thus destroying all mp3 files on the system.

The Trojan will also shutdown Winamp as well as copy itself to the Windows folder on the victim’s computer. A full description of the malware is here.

Needless to say it’s a lame attempt.