March 22, 2006
There is no such thing as a good virus, but some viruses are more despicable than others. Case in point, the newly discovered W32/QuickBatch.G!tr Trojan that specifically targets members of the blind community. The Trojan was first discovered after it was posted to the Blind Cool Tech mailing list and various other newsgroups for blind users. Jared Rimer of Superior Software became suspicious and forwarded a copy of the suspect file, audiomagic_b001.exe, for analysis.
Patrick Nolan, Virus Researcher for Fortinet Technologies, analyzed the file and reported that it was a variant of the "QuickBatch" family of Trojans, so named because they are compiled using a demo version of the Quickbatch compiler which converts batch scripts into .EXE files. According to Patrick, "W32/QuickBatch.G!tr systematically deletes files not in use by Windows or applications running and services running, in all folders and subfolders."
The newsgroup/mailing list posting carrying the infected attachment reads as follows:
Hello all,JAWS for Windows (JFW) is software that audibly reads information from a computer display, facilitating computer use for the visually impaired. Sound Forge is a program used to create, edit, and process sound files. Through the use of scripts, programs such as Sound Forge can be made compatible for use by JAWS, increasing accessibility for members of the blind community.
I have written a new sound-editing application called Audio Magic. It is an alternative to Sound Forge 8, but it is in the public domain and it is freeware. It does not yet have all of Sound Forge's features, but we are only on the very first beta release at this point, and I would like all of your feedback on how I could improve the interface. I am a JAWS user myself, so I have tried to make the interface to the application as accessible as possible. You will not need JAWS scripts to make use of the program's features; the program will communicate it's information to JAWS without any other files needing to be installed. This program is also a lot faster than Sound Forge in terms of saving files, etc. It includes features such as changing pitch, reverb, noise reduction (coming in next etc. It can currently save in MP3, WMA, OGG and Real Media formats. More support is coming soon and people will be able to write plug-ins to support other formats if they wish. If you would like to try it out, you can go to http://---------.com and download the latest beta version from there. You can read the user's guide and other documentation after you've got the program installed. Documentation will also be available online by the time the final product is released. If you feel any changes need to be made to the documentation, let me know that as well. Hope you all enjoy the program.
Thanks,
Daniel
Joker Dog
jokerdog02@-----.fm
Further complicating matters, there is a legitimate "Audio Magic" shareware program, titled "AudioMagic 2.43" and created by YoGen Software. There is no link between the author(s) of the W32/QuickBatch.G!tr Trojan and YoGen Software. Indeed, YoGen Software is yet another victim of the Trojan.
The hijacking of known program names and reputations is common among virus writers. Remember, you cannot identify a virus by the name of the file. Instead, use a program such as Spybot's FileAlyzer to obtain the MD5 hash of a file - a much more reliable differentiator. In this particular case, the MD5 of the miscreant audiomagic_b001.exe is e959e5150ee8bb5776a8f5352ad5de98.
Bit9 FileAdvisor lets you search for information on files by using the MD5. However, while it can be useful for verifying that a particular MD5 matches a known good commercial software app, it's less likely to return results for more obscure software and/or malware.
