Nowadays almost everyone is affected by the recession in one way or another. More and more people try to save money.

Instead of buying licensed songs in CD form or from reputable online services, some people prefer to download songs via P2P or do a direct download from untrusted sites. This is a popular way of getting music files for free.

Wimad is a malware family that is known for using music files as its medium for distribution. It is a detection for malicious Windows media files that encourage users to download and execute arbitrary files on an affected machine. When opened with Windows Media Player, Wimad files open a particular URL in a web browser and prompt the user to download a file.  The accessed URLs and the downloaded files vary according to the Wimad variant, but some of the known detections for the downloaded files are Adware:Win32/PlayMp3z, TrojanDownloader:Win32/Tracur.A and Trojan:Win32/Nebuler.gen!D. In the wild, Wimad files have been observed with the extensions .ASF, .ASX, .MP3, and .WMA.

Below is a graph of the top 10 family detections for the last twelve months.

As you can see in the following graph, Wimad is the 7th family with the most number of reported detections. 

Looking at Wimad’s monthly detection report from May 2008 to April 2009, we can see an increase in detection, with an average detection of about 1.5M per month and a peak observed last December and January exceeding more than 2M.

Based on the geographic distribution of Wimad for the last year, United States, Canada and United Kingdom are the most affected countries.

As blogged before by our fellow researchers, the cost for free software might be too high. Time and time again we encourage users to support and patronize licensed media and software.

--Francis Tan Seng & Elda Dimakiling