Detection of a trojan named Downloader-UA.h was added to the McAfee DAT files several days ago. Since that time more than 360,000 McAfee VirusScan Online users have reported detections, a whopping 32% of those reporting in the past 24 hours alone. Now Downloader-UA.h is not your everyday trojan, this detection covers fake music and video files associated with fastmp3player.com.
When a user attempts to load one of these MP3 and MPG files, they don’t get the music/video they were hoping for; instead they’re directed to download a file named PLAY_MP3.exe. In fact, the MP3/MPG file they downloaded was completely fake, playing no media clip what so ever.
Here are some of the samples names that we’ve seen. Many many other file names are surely floating around on P2P networks. File sizes vary as these files are padded with nulls.
preview-t-3545425-adult.mpg
preview-t-3545425-changing times earth wind .mp3
preview-t-3545425-girls aloud st trinnians.mp3
preview-t-3545425-heartbroken fast t2 ft jodie.mp3
preview-t-3545425-jij bent zo jeroen van den.mp3
preview-t-3545425-meet bambi in kings harem.mp3
preview-t-3545425-middle eastern chick.mpg
preview-t-3545425-paint me bunmingham.mp3
preview-t-3545425-paralyized by you.mp3
preview-t-3545425-pull over levert.mp3
preview-t-3545425-say it right remix.mp3
preview-t-3545425-st trinnians girls aloud.mp3
preview-t-3545425-theme godfather.mp3
t-3545425-bentley bizzle.mp3
t-3545425-dx vs randi orton 2007.mpg
t-3545425-haloween special.mp3
t-3545425-just got lucky.mp3
t-3545425-lion king portugues.mpg
t-3545425-los padres de ella.mpg
t-3545425-para sayo freestyle.mp3
t-3545425-peanut butter jelly amende.mp3
t-3545425-stare at sun thrice.mp3
t-3545425-suicide bride dana.mp3
t-3545425-wayne and jane.mp3
If users agree to download and run PLAY_MP3.exe (detected as Generic PUP.a with McAfee DAT files) a 4,800 word EULA is displayed.
Notable parts of the EULA include:
(3) The Licensed Materials you install will also include/be bundled with the following 3rd Party software products:
PRODUCT Mirar AND EULA http://policy.getmirar.com/
And my favorite:
22. Effective: January 14, 2007.
END OF DOCUMENT
NetNucleus Privacy Policy/EULA
This End User License Agreement (the “Agreement”) is a legal agreement between you and NetNucleus Corp.
Does END OF DOCUMENT mean you can ignore the rest? Gotta love it when a “vendor” expects their “customers” to read a EULA that they themselves did not seem to read!
If you agree to the EULA and choose to proceed, Adware “FBrowsingAdvisor” and “SurfingEnhancer” is installed as described in the EULA. I especially like the directory named used by the developer:
c:\Documents and Settings\tani\My Documents\Dreamsoft\Firefox\firefox_adware\FF-Source\Source\Release\XPCOMEvents.pdb
If Firefox is not installed users may see an error message:
PlayMP3.exe from PlayMP3z.biz is installed, which is simply a browser control wrapped in an exe, and doesn’t actually play local MP3 files, but rather loads a webpage running the Wimpy MP3 Flash player. This page lets the user listen to a canned selection of a couple dozen songs.
In the end you’re left with a fake MP3 file taking up space, a worthless MP3 player, adware that claims not only to not display popups, but also to block them, and more adware that successfully displays popup and popunder ads.
May 6th, 2008 at 5:28 pm
[…] Avert Labs reported Tuesday the most significant malware outbreak in three years with more than 500,000 detections of a […]
May 7th, 2008 at 1:06 am
[…] mit dem Namen “Play_mp3.exe” geleitet”, erklrte Craig Schmugar von McAfee Avert Labs in einem Blogeintrag. Bei dem vermeintlichen MP3-Player handelt es sich jedoch um Adware sowie ein […]
May 7th, 2008 at 3:13 am
[…] πλήρα λίστα ονομάτων μπορείτε να βρείτε στην σχετική σελίδα της McAffe. Όπψς λέει και η ίδια, παρότι έχει δεί και στο […]
May 7th, 2008 at 3:25 am
[…] Earlier we blogged about Fake MP3s Running Rampant, mostly on P2P networks, such as Limewire. I took some time to create a video clip showing what the […]
May 7th, 2008 at 3:34 am
[…] mehr als 360.000 Rechner mit dem Trojaner gemeldet. Im “McAfee Alert Labs Blog” gibt Craig Schmugar Einzelheiten zu dem Trojaner und bereits bekannte Dateinamen des Schdlings […]
May 7th, 2008 at 3:54 am
Oh my gosh what will these hackers think of next!
May 7th, 2008 at 5:03 am
[…] компании McAfee предупреждают о появлении в пиринговых сетях большого количества […]
May 7th, 2008 at 5:08 am
[…] blog da McAfee Avert Labs é possível consultar a lista completa com o nome dos arquivos de música e vídeos comprometidos […]
May 7th, 2008 at 5:42 am
[…] pm on May 7, 2008 | # | McAfee that a major new outbreak is infecting computers using P2P clients. [VIA] […]
May 7th, 2008 at 5:49 am
[…] avoid the site: fastmp3player (dot ) com Avert Medium Threat Advisory — Fake MP3 malware attacks http://www.avertlabs.com/research/blog/index.php/2008/05/06/fake-mp3s-running-rampant/ http://www.avertlabs.com/research/blog/index.php/2008/05/07/yet-even-more-fake-media-files/ […]
May 7th, 2008 at 5:50 am
[…] avoid the site: fastmp3player (dot ) com Avert Medium Threat Advisory — Fake MP3 malware attacks http://www.avertlabs.com/research/blog/index.php/2008/05/06/fake-mp3s-running-rampant/ http://www.avertlabs.com/research/blog/index.php/2008/05/07/yet-even-more-fake-media-files/ […]
May 7th, 2008 at 7:05 am
Isn’t this really a case of the P2P being detected through user updates, ie - they were previously infected, rather than it ’spreading’?
I believe this was seeded some time ago, and the generic dat(update) has been reporting it (and slightly differing versions of the ’same’ code) since the update made it possible to detect.
It’s a shame we cannot see if the machine WAS previously infected, or indeed if the update prevented infection.
Lee
May 7th, 2008 at 7:12 am
You really need to explain this better.
Are these exe files taking advantage of hidden extensions to fool naive users? I didn’t think so but many people are assuming that’s what’s going on here and consequently assuming they can detect these if they have their extensions showing.
Or Is this just a WMP vulnerability? If someone uses Winamp or some other non-WMP player can this affect them? I suspect not.
May 7th, 2008 at 8:36 am
[…] A McAfee que detectou o tal vírus informa que um dos arquivos falsos contém o nome de preview-t-3545425-changing times earth wind.mp3 e t-3545425-just got lucky.mp3 outros nomes e detalhes do ´virus podem ser encontrados aqui […]
May 7th, 2008 at 9:36 am
[…] A blog posting by McAfee Avert Labs threat researcher Craig Schmugar, explaining the threat in greater detail, can be found here. […]
May 7th, 2008 at 9:52 am
[…] Weitere Informationen und eine Screen-Animation finden Sie im McAfee Avert Labs Blog. […]
May 7th, 2008 at 10:40 am
[…] Fake file names include: preview-t-3545425-changing times earth wind .mp3 and t-3545425-just got lucky.mp3. Schmugar listed more filenames, as well as details on the adware, in a Tuesday blog posting. […]
May 7th, 2008 at 11:17 am
[…] der "gefälschten" Musikdateien, haben die Virenspezialisten von McAfee in ihrem AVERT Labs Blog […]
May 7th, 2008 at 12:15 pm
[…] blog da McAfee Avert Labs é possível consultar a lista completa com o nome dos arquivos de música e vídeos comprometidos […]
May 7th, 2008 at 1:09 pm
[…] Link: Post no blog de Craig Schmugar […]
May 7th, 2008 at 1:37 pm
Pretty neat trick but I guess people needs to update their virus scanners…
May 8th, 2008 at 1:50 am
[…] дней назад антивирусная компания McAfee обнаружила новый троян Downloader-UA.h, который распространяется весьма […]
May 8th, 2008 at 3:10 am
[…] reported that Downloader-UA.h trojan is present in hundreds of media files that were uploaded to file-swapping services during the last weekend. Limewire and eDonkey were the […]
May 8th, 2008 at 3:15 am
[…] Мошенники начали использовать для распространения рекламы М 3-файлы Май 8th, 2008 − Сумы.biz (1 просмотров) (No Ratings Yet) Loading … Специалисты компании McAfee предупреждают о появлении в пиринговых сетях большого количества фальшивых М 3-файлов, при помощи которых мошенники пытаются распространять программное обеспечение для демонстрации рекламы. Как сообщает PC World со ссылкой на заявления эксперта McAfee Крейга Шмугара, вредоносные файлы на первый взгляд могут выглядеть как обычные композиции, сохраненные в формате М 3. На деле же такие файлы содержат троянскую программу, предлагающую загрузить и установить некий медиаплеер. Если потенциальная жертва соглашается инсталлировать приложение, на экран выводится пользовательское соглашение (EULA), после чего на ПК устанавливаются программы Mirar и NetNucleus. Далее пользователю начинают демонстрироваться рекламные баннеры. Компания McAfee подчеркивает, что фальшивые М 3-файлы имеют различные названия и размер. Трояны, в частности, содержатся в файлах, имена которых начинаются с последовательностей символов “preview-t-3545425-” и “t-3545425-”. Причем анализ статистики антивирусных сканеров McAfee показал, что в течение всего нескольких дней были сгенерированы свыше 350 тысяч уведомлений об обнаружении вредоносных “композиций″. Какое количество пользователей Сети пострадало от действий киберпреступников пока не ясно. Подробности […]
May 8th, 2008 at 3:28 am
[…] báo về các phần mềm độc hại ẩn mình trong các tập tin media. Hiện tại, McAfee cho biết con số lây nhiễm tập tin MP3 kèm trojan đã vượt qua 360.000 máy […]
May 8th, 2008 at 3:37 am
I’m confused. How does a download link on Limewire that shows a .mpg extension result in a download of a .exe file?
May 8th, 2008 at 4:14 am
[…] Here are some of the names on the list: http://www.avertlabs.com/research/blog/index.php/2008/05/06/fake-mp3s-running-rampant/ […]
May 8th, 2008 at 5:05 am
My computer was infected with webHancer malware last week. Got it through limewire trying to get some games! It was maquerading as a .exe in a .zip file. Same behaviour though - uncontrollable popups.
May 8th, 2008 at 7:38 am
[…] At the same time, McAfee is cautioning that it’s seen an increase in fake MP3 files being used to carry dangerous code. A security expert with the company claims 360,000 users have had problems in the past days. You can find a list of the problematic filenames to avoid on the McAfee Labs Blog. […]
May 8th, 2008 at 8:34 am
If I remember correctly these are mislabeled ASF files. ASF and Quicktime files have a feature that allows opening an URL (or even multiple) in the web browser. There are all sorts of spammers who are abusing this feature. Don’t blame P2P. Blame Apple and Microsoft for adding such dangerous features to audio and video containers. There is no reason in hell that such a file should be able to trigger accessing an URL.
May 8th, 2008 at 8:40 am
One more piece of information: These files were mainly spread through servers hosted at FortressITX (65.98.0.0/17): 65.98.59.242 and 65.98.61.242. LimeWire has actually banned the complete range for quite some time. Even less reason to blame them. Either the infected users, use something else or some rip-offs that are already infected with trojans and adware right away or otherwise outdated software.
May 8th, 2008 at 8:44 am
And by the way, giving the filenames is absolutely pointless. Spammers have been using generated filenames and also ripped filenames from torrent index sites and the like for a long time. There are very likely hundred of thousands of different filenames for the same file.
May 8th, 2008 at 10:42 am
[…] L’azienda di sicurezza McAfee ha segnalato uno dei più imponenti “malware outbreak” degli ultimi tre anni con più di 500.000 […]
May 8th, 2008 at 10:45 am
[…] Here are some of the samples names that we’ve seen. Many many other file names are surely floating around on P2P networks. File sizes vary as these files are padded with nulls. (link) […]
May 8th, 2008 at 1:03 pm
[…] Quinta-feira, 8 de Maio , 2008 s 19:03 · Arquivado em Mercado Those of you who might hypothetically find yourselves surfing around on LimeWire searching for the latest in free, legal, P2P downloads may want to pay a bit more attention to the files you download. According to Craig Schmugar at McAfee’s Avert Labs, there’s a new trojan (Downloader-UA.h) on the loose that’s masquerading as an MP3 or MPG file. The list of infected files below was originally compiled by Schmugar, and it’s not a bad idea to check them out if you regularly search for “user-created” video. Not that any of you actually do that sort of thing, of course, but you might know someone who does. Err, did. Back in the 90s. (mais aqui e aqui) […]
May 9th, 2008 at 3:58 pm
[…] acordo com dados do Avert Labs da McAfe citados por Craig Schmugar no blog da empresa de software anti-vírus (via Information Week), nos últimos dias o troiano foi […]
May 9th, 2008 at 8:56 pm
[…] Beware files sharing! Fake mp3 files running rampant, and many of them contain a trojan horse. […]
May 10th, 2008 at 10:45 am
[…] MP3 player plus pop-up adware products, as first reported on May 6, 2008 by th McAfee Avert Labs, here. McAfee call this ‘rampant’ we call it a drop in the bucket (based on the true numbers […]
May 11th, 2008 at 1:54 am
[…] “Uma vez que você execute o arquivo, ele não possui conteúdo. Você é levado para um site para instalar o ‘player’ que você realmente não precisa”, disse ele. Os nomes dos arquivos falsos incluem: preview-t-3545425-changing times earth wind.mp3 e t-3545425-just got lucky.mp3. Schumgar listou mais nomes de arquivos, bem como detalhes do adware, em um post em seu blog. […]
May 12th, 2008 at 1:18 am
…..yet another reason why you should own a mac. hah
May 12th, 2008 at 8:53 am
[…] reportedly raking up numbers of victims on the Web. It was initially reported by McAfee in their blog and gained attention after it was deemed worthy of a “medium” threat level by the said security […]
May 12th, 2008 at 9:42 am
[…] reportedly raking up numbers of victims on the Web. It was initially reported by McAfee in their blog and gained attention after it was deemed worthy of a “medium” threat level by the said security […]
May 13th, 2008 at 8:21 am
[…] Fake file names include: preview-t-3545425-changing times earth wind .mp3 and t-3545425-just got lucky.mp3. Schmugar listed more filenames, as well as details on the adware, in a Tuesday blog posting. […]
May 13th, 2008 at 2:44 pm
[…] Fake file names include: preview-t-3545425-changing times earth wind .mp3 and t-3545425-just got lucky.mp3. Schmugar listed more filenames, as well as details on the adware, in a Tuesday blog posting. […]
May 13th, 2008 at 4:00 pm
[…] tells them to download another file to operate it, that other file was Downloader-UA.h. Take a look here to see a small list of the files that direct you to download the trojan and ways to know that you […]
May 13th, 2008 at 4:54 pm
My computer stopped working after i tried to open my Limewire. I think one of the music or video tracks had this trojan because my Anti-Virus noted a trojan but couldn’t get rid of it. Does anyone know how to get rid of it yet?
May 13th, 2008 at 5:04 pm
This will be all over Hulu in a few days. And that will infect a lot of people.
May 13th, 2008 at 9:36 pm
Your print is so itsy bitsy I cannot read this page without copying it to a WP and enlarging it, and I have 20/20 corrected vision. Some of us aren’t 30 anymore. Please make your print larger.
May 14th, 2008 at 12:10 am
[…] incorporates all manner of potential file names. Though the BBC story includes a half-dozen, the real list of names is exhaustive to the point where it would make little sense including it here. It’s likely that that list […]
May 14th, 2008 at 6:56 am
[…] have reported that trojans are hiding in MP3 files (there’s a really great and informative blog post on the site by the […]