While I was looking at a malware code I stumbled on a series of functions I have never seen before. The functions are: mixerOpen, mixerGetLineInfo, mixerGetLineControls and mixerSetControlDetails. These are only words for me at first, but the word “mixer” suggested that something related with audio line is involved. Msdn and Google are good friends in this case. I always start from msdn and then I browse the net looking for practical examples, just to see possible implementations. As I thought the functions are used for changing some sound parameters. The malware aims to mute the speakers but it will fail.
Some times ago I was reading an online magazine and there was an article explaining how many malwares contain ripped code. It’s an old news and I agree with it, but I have never meet a live example. The malware I’m checking could be my first one. I think the code is taken directly from a nice tutorial titled mixerSetControlDetails
The tutorial provides a working sample on how to control the volume level of your speakers, you can raise or decrease the level simply moving a slider. The sample is not designed to mute the speakers directly, you have to move the slider to zero. At the end of the tutorial there’s a part titled “Mute me, baby!”, in this part the author writes about a way used to mute the speakers directly. He provides a possible implementation but not a working sample. I tried the code but unfortunatly it doesn’t mute the speakers.
Believe it or not the malware is unable to mute the speakers because the author doesn’t provide a working solution. Yes, part of the malware code is taken directly from this tutorial.
I can’t be 100% sure because I can’t compare two source codes but:
– to mute the speakers you only need 4 functions and not 6. The malware calls the same functions listed in the tutorial in the same order, with the same parameters. That’s strange because the sample changes the volume to 18500 but the aim of the malware is to mute the speaker. It’s strange.
– there are some structures involved in the code and the malware fills all the structures with the same values provided by the tutorial. Maybe you have to initialize only some structure’s members but msdn is pretty clear about these mixer functions, most of the time you need to initialize the entire structure.
Maybe I’m right maybe I’m wrong, I don’t know but there’s a strictly correlation among codes. Just in case you want to mute the speakers here is a working piece of code:
ml.dwComponentType = MIXERLINE_COMPONENTTYPE_DST_SPEAKERS;
ml.cbStruct = sizeof(MIXERLINE);
mixerGetLineInfo((HMIXEROBJ)hMixer, &ml, MIXER_GETLINEINFOF_COMPONENTTYPE);
mlc.cbStruct = sizeof(MIXERLINECONTROLS);
mlc.dwLineID = ml.dwLineID;
mlc.dwControlType = MIXERCONTROL_CONTROLTYPE_MUTE;
mlc.cControls = 1;
mlc.cbmxctrl = sizeof(MIXERCONTROL);
mlc.pamxctrl = &mc;
mixerGetLineControls((HMIXEROBJ)hMixer, &mlc, MIXER_GETLINECONTROLSF_ONEBYTYPE );
mcd_b.fValue = !mcd_b.fValue;
mcd.cbStruct = sizeof(MIXERCONTROLDETAILS);
mcd.dwControlID = mc.dwControlID;
mcd.cChannels = 1;
mcd.cbDetails = sizeof(MIXERCONTROLDETAILS_BOOLEAN);
mcd.paDetails = &mcd_b;
mixerSetControlDetails((HMIXEROBJ)hMixer, &mcd, MIXER_SETCONTROLDETAILSF_VALUE);
Attached the source code and the exe file.