The adware file, WmaDownloader.B, arrives in an email claiming that a license is needed in order to play the promised music and video content. Users are asked to agree to this license, which in fact gives permission to install the adware.
The problem starts when the user downloads an alleged video file (*.wmv) or audio file (*.wma). When the user tries to run these files to view them on the computer, a window is displayed that prompts the user to acquire a license. The message explains that in order to get the free license, the user must install IST Toolbar, a known adware program that security firm PandaLabs warns "is used as an entry-point for many other threats".
"Although users are warned that adware will be installed and gives the user the opportunity to read the license agreement, it is formulated in clearly abusive terms, and also exploits the fact that few users are aware of the impact that installing this spyware program can have on their computers, as this spyware allows many other threats to get into the system," explained Luis Corrons, director of PandaLabs.
"What's more, it is important not to forget that in the samples received by PandaLabs, the system is even more fraudulent, as there is not even a video or music file."
When this message is displayed, the user is also asked to install an ActiveX Control, which is the IST Toolbar mentioned in this window. If users do not agree to install it, they will not be affected, but neither will they be able to play the promised video or audio file. If users agree to install it, the IST Toolbar (detected by Panda Software as ISTBar) will be downloaded, infecting the system and allowing the file to be played, if it exists. A window notifying users that they must acquire a license will also appear.
However, this might not always be the case, warned Corrons. "The warning about the installation of the ActiveX Control is not always displayed in computers with the security level configured as low, which could occur because the user has configured it in this way or because one of the many other malware specimens with this function has already affected the computer. For this reason it is extremely important to check the browser settings in order to neutralize installation of ActiveX Controls of dubious origin."
The adware can only affect computers with Windows Media Player 9 or a later version installed.