Fake MP3s Running Rampant
Tuesday May 6, 2008 at 12:08 pm CST
Posted by Craig Schmugar
Detection of a trojan named Downloader-UA.h was added to the McAfee DAT files several days ago. Since that time more than 360,000 McAfee VirusScan Online users have reported detections, a whopping 32% of those reporting in the past 24 hours alone. Now Downloader-UA.h is not your everyday trojan, this detection covers fake music and video files associated with fastmp3player.com.
When a user attempts to load one of these MP3 and MPG files, they don’t get the music/video they were hoping for; instead they’re directed to download a file named PLAY_MP3.exe. In fact, the MP3/MPG file they downloaded was completely fake, playing no media clip what so ever.
Here are some of the samples names that we’ve seen. Many many other file names are surely floating around on P2P networks. File sizes vary as these files are padded with nulls.
preview-t-3545425-adult.mpg
preview-t-3545425-changing times earth wind .mp3
preview-t-3545425-girls aloud st trinnians.mp3
preview-t-3545425-heartbroken fast t2 ft jodie.mp3
preview-t-3545425-jij bent zo jeroen van den.mp3
preview-t-3545425-meet bambi in kings harem.mp3
preview-t-3545425-middle eastern chick.mpg
preview-t-3545425-paint me bunmingham.mp3
preview-t-3545425-paralyized by you.mp3
preview-t-3545425-pull over levert.mp3
preview-t-3545425-say it right remix.mp3
preview-t-3545425-st trinnians girls aloud.mp3
preview-t-3545425-theme godfather.mp3
t-3545425-bentley bizzle.mp3
t-3545425-dx vs randi orton 2007.mpg
t-3545425-haloween special.mp3
t-3545425-just got lucky.mp3
t-3545425-lion king portugues.mpg
t-3545425-los padres de ella.mpg
t-3545425-para sayo freestyle.mp3
t-3545425-peanut butter jelly amende.mp3
t-3545425-stare at sun thrice.mp3
t-3545425-suicide bride dana.mp3
t-3545425-wayne and jane.mp3
If users agree to download and run PLAY_MP3.exe (detected as Generic PUP.a with McAfee DAT files) a 4,800 word EULA is displayed.
Notable parts of the EULA include:
(3) The Licensed Materials you install will also include/be bundled with the following 3rd Party software products:
PRODUCT Mirar AND EULA http://policy.getmirar.com/
And my favorite:
22. Effective: January 14, 2007.
END OF DOCUMENT
NetNucleus Privacy Policy/EULA
This End User License Agreement (the “Agreement”) is a legal agreement between you and NetNucleus Corp.
Does END OF DOCUMENT mean you can ignore the rest? Gotta love it when a “vendor” expects their “customers” to read a EULA that they themselves did not seem to read!
If you agree to the EULA and choose to proceed, Adware “FBrowsingAdvisor” and “SurfingEnhancer” is installed as described in the EULA. I especially like the directory named used by the developer:
c:\Documents and Settings\tani\My Documents\Dreamsoft\Firefox\firefox_adware\FF-Source\Source\Release\XPCOMEvents.pdb
If Firefox is not installed users may see an error message:
PlayMP3.exe from PlayMP3z.biz is installed, which is simply a browser control wrapped in an exe, and doesn’t actually play local MP3 files, but rather loads a webpage running the Wimpy MP3 Flash player. This page lets the user listen to a canned selection of a couple dozen songs.
In the end you’re left with a fake MP3 file taking up space, a worthless MP3 player, adware that claims not only to not display popups, but also to block them, and more adware that successfully displays popup and popunder ads.
May 6th, 2008 at 17:28
[...] Avert Labs reported Tuesday the most significant malware outbreak in three years with more than 500,000 detections of a [...]
May 7th, 2008 at 01:06
[...] mit dem Namen “Play_mp3.exe” geleitet”, erklrte Craig Schmugar von McAfee Avert Labs in einem Blogeintrag. Bei dem vermeintlichen MP3-Player handelt es sich jedoch um Adware sowie ein [...]
May 7th, 2008 at 03:13
[...] πλήρα λίστα ονομάτων μπορείτε να βρείτε στην σχετική σελίδα της McAffe. Όπψς λέει και η ίδια, παρότι έχει δεί και στο [...]
May 7th, 2008 at 03:25
[...] Earlier we blogged about Fake MP3s Running Rampant, mostly on P2P networks, such as Limewire. I took some time to create a video clip showing what the [...]
May 7th, 2008 at 03:34
[...] mehr als 360.000 Rechner mit dem Trojaner gemeldet. Im “McAfee Alert Labs Blog” gibt Craig Schmugar Einzelheiten zu dem Trojaner und bereits bekannte Dateinamen des Schdlings [...]
May 7th, 2008 at 03:54
Oh my gosh what will these hackers think of next!
May 7th, 2008 at 05:03
[...] компании McAfee предупреждают о появлении в пиринговых сетях большого количества [...]
May 7th, 2008 at 05:08
[...] blog da McAfee Avert Labs é possível consultar a lista completa com o nome dos arquivos de música e vídeos comprometidos [...]
May 7th, 2008 at 05:42
[...] pm on May 7, 2008 | # | McAfee that a major new outbreak is infecting computers using P2P clients. [VIA] [...]
May 7th, 2008 at 05:49
[...] avoid the site: fastmp3player (dot ) com Avert Medium Threat Advisory — Fake MP3 malware attacks http://www.avertlabs.com/research/blog/index.php/2008/05/06/fake-mp3s-running-rampant/ http://www.avertlabs.com/research/blog/index.php/2008/05/07/yet-even-more-fake-media-files/ [...]
May 7th, 2008 at 05:50
[...] avoid the site: fastmp3player (dot ) com Avert Medium Threat Advisory — Fake MP3 malware attacks http://www.avertlabs.com/research/blog/index.php/2008/05/06/fake-mp3s-running-rampant/ http://www.avertlabs.com/research/blog/index.php/2008/05/07/yet-even-more-fake-media-files/ [...]
May 7th, 2008 at 07:05
Isn’t this really a case of the P2P being detected through user updates, ie – they were previously infected, rather than it ’spreading’?
I believe this was seeded some time ago, and the generic dat(update) has been reporting it (and slightly differing versions of the ’same’ code) since the update made it possible to detect.
It’s a shame we cannot see if the machine WAS previously infected, or indeed if the update prevented infection.
Lee
May 7th, 2008 at 07:12
You really need to explain this better.
Are these exe files taking advantage of hidden extensions to fool naive users? I didn’t think so but many people are assuming that’s what’s going on here and consequently assuming they can detect these if they have their extensions showing.
Or Is this just a WMP vulnerability? If someone uses Winamp or some other non-WMP player can this affect them? I suspect not.
May 7th, 2008 at 08:36
[...] A McAfee que detectou o tal vírus informa que um dos arquivos falsos contém o nome de preview-t-3545425-changing times earth wind.mp3 e t-3545425-just got lucky.mp3 outros nomes e detalhes do ´virus podem ser encontrados aqui [...]
May 7th, 2008 at 09:36
[...] A blog posting by McAfee Avert Labs threat researcher Craig Schmugar, explaining the threat in greater detail, can be found here. [...]
May 7th, 2008 at 09:52
[...] Weitere Informationen und eine Screen-Animation finden Sie im McAfee Avert Labs Blog. [...]
May 7th, 2008 at 10:40
[...] Fake file names include: preview-t-3545425-changing times earth wind .mp3 and t-3545425-just got lucky.mp3. Schmugar listed more filenames, as well as details on the adware, in a Tuesday blog posting. [...]
May 7th, 2008 at 11:17
[...] der "gefälschten" Musikdateien, haben die Virenspezialisten von McAfee in ihrem AVERT Labs Blog [...]
May 7th, 2008 at 12:15
[...] blog da McAfee Avert Labs é possível consultar a lista completa com o nome dos arquivos de música e vídeos comprometidos [...]
May 7th, 2008 at 13:09
[...] Link: Post no blog de Craig Schmugar [...]
May 7th, 2008 at 13:37
Pretty neat trick but I guess people needs to update their virus scanners…
May 8th, 2008 at 01:50
[...] дней назад антивирусная компания McAfee обнаружила новый троян Downloader-UA.h, который распространяется весьма [...]
May 8th, 2008 at 03:10
[...] reported that Downloader-UA.h trojan is present in hundreds of media files that were uploaded to file-swapping services during the last weekend. Limewire and eDonkey were the [...]
May 8th, 2008 at 03:15
[...] Мошенники начали использовать для распространения рекламы М 3-файлы Май 8th, 2008 − Сумы.biz (1 просмотров) (No Ratings Yet) Loading … Специалисты компании McAfee предупреждают о появлении в пиринговых сетях большого количества фальшивых М 3-файлов, при помощи которых мошенники пытаются распространять программное обеспечение для демонстрации рекламы. Как сообщает PC World со ссылкой на заявления эксперта McAfee Крейга Шмугара, вредоносные файлы на первый взгляд могут выглядеть как обычные композиции, сохраненные в формате М 3. На деле же такие файлы содержат троянскую программу, предлагающую загрузить и установить некий медиаплеер. Если потенциальная жертва соглашается инсталлировать приложение, на экран выводится пользовательское соглашение (EULA), после чего на ПК устанавливаются программы Mirar и NetNucleus. Далее пользователю начинают демонстрироваться рекламные баннеры. Компания McAfee подчеркивает, что фальшивые М 3-файлы имеют различные названия и размер. Трояны, в частности, содержатся в файлах, имена которых начинаются с последовательностей символов “preview-t-3545425-” и “t-3545425-”. Причем анализ статистики антивирусных сканеров McAfee показал, что в течение всего нескольких дней были сгенерированы свыше 350 тысяч уведомлений об обнаружении вредоносных “композиций″. Какое количество пользователей Сети пострадало от действий киберпреступников пока не ясно. Подробности [...]
May 8th, 2008 at 03:28
[...] báo về các phần mềm độc hại ẩn mình trong các tập tin media. Hiện tại, McAfee cho biết con số lây nhiễm tập tin MP3 kèm trojan đã vượt qua 360.000 máy [...]
May 8th, 2008 at 03:37
I’m confused. How does a download link on Limewire that shows a .mpg extension result in a download of a .exe file?
May 8th, 2008 at 04:14
[...] Here are some of the names on the list: http://www.avertlabs.com/research/blog/index.php/2008/05/06/fake-mp3s-running-rampant/ [...]
May 8th, 2008 at 05:05
My computer was infected with webHancer malware last week. Got it through limewire trying to get some games! It was maquerading as a .exe in a .zip file. Same behaviour though – uncontrollable popups.
May 8th, 2008 at 07:38
[...] At the same time, McAfee is cautioning that it’s seen an increase in fake MP3 files being used to carry dangerous code. A security expert with the company claims 360,000 users have had problems in the past days. You can find a list of the problematic filenames to avoid on the McAfee Labs Blog. [...]
May 8th, 2008 at 08:34
If I remember correctly these are mislabeled ASF files. ASF and Quicktime files have a feature that allows opening an URL (or even multiple) in the web browser. There are all sorts of spammers who are abusing this feature. Don’t blame P2P. Blame Apple and Microsoft for adding such dangerous features to audio and video containers. There is no reason in hell that such a file should be able to trigger accessing an URL.
May 8th, 2008 at 08:40
One more piece of information: These files were mainly spread through servers hosted at FortressITX (65.98.0.0/17): 65.98.59.242 and 65.98.61.242. LimeWire has actually banned the complete range for quite some time. Even less reason to blame them. Either the infected users, use something else or some rip-offs that are already infected with trojans and adware right away or otherwise outdated software.
May 8th, 2008 at 08:44
And by the way, giving the filenames is absolutely pointless. Spammers have been using generated filenames and also ripped filenames from torrent index sites and the like for a long time. There are very likely hundred of thousands of different filenames for the same file.
May 8th, 2008 at 10:42
[...] L’azienda di sicurezza McAfee ha segnalato uno dei più imponenti “malware outbreak” degli ultimi tre anni con più di 500.000 [...]
May 8th, 2008 at 10:45
[...] Here are some of the samples names that we’ve seen. Many many other file names are surely floating around on P2P networks. File sizes vary as these files are padded with nulls. (link) [...]
May 8th, 2008 at 13:03
[...] Quinta-feira, 8 de Maio , 2008 s 19:03 · Arquivado em Mercado Those of you who might hypothetically find yourselves surfing around on LimeWire searching for the latest in free, legal, P2P downloads may want to pay a bit more attention to the files you download. According to Craig Schmugar at McAfee’s Avert Labs, there’s a new trojan (Downloader-UA.h) on the loose that’s masquerading as an MP3 or MPG file. The list of infected files below was originally compiled by Schmugar, and it’s not a bad idea to check them out if you regularly search for “user-created” video. Not that any of you actually do that sort of thing, of course, but you might know someone who does. Err, did. Back in the 90s. (mais aqui e aqui) [...]
May 9th, 2008 at 15:58
[...] acordo com dados do Avert Labs da McAfe citados por Craig Schmugar no blog da empresa de software anti-vírus (via Information Week), nos últimos dias o troiano foi [...]
May 9th, 2008 at 20:56
[...] Beware files sharing! Fake mp3 files running rampant, and many of them contain a trojan horse. [...]
May 10th, 2008 at 10:45
[...] MP3 player plus pop-up adware products, as first reported on May 6, 2008 by th McAfee Avert Labs, here. McAfee call this ‘rampant’ we call it a drop in the bucket (based on the true numbers [...]
May 11th, 2008 at 01:54
[...] “Uma vez que você execute o arquivo, ele não possui conteúdo. Você é levado para um site para instalar o ‘player’ que você realmente não precisa”, disse ele. Os nomes dos arquivos falsos incluem: preview-t-3545425-changing times earth wind.mp3 e t-3545425-just got lucky.mp3. Schumgar listou mais nomes de arquivos, bem como detalhes do adware, em um post em seu blog. [...]
May 12th, 2008 at 01:18
…..yet another reason why you should own a mac. hah
May 12th, 2008 at 08:53
[...] reportedly raking up numbers of victims on the Web. It was initially reported by McAfee in their blog and gained attention after it was deemed worthy of a “medium” threat level by the said security [...]
May 12th, 2008 at 09:42
[...] reportedly raking up numbers of victims on the Web. It was initially reported by McAfee in their blog and gained attention after it was deemed worthy of a “medium” threat level by the said security [...]
May 13th, 2008 at 08:21
[...] Fake file names include: preview-t-3545425-changing times earth wind .mp3 and t-3545425-just got lucky.mp3. Schmugar listed more filenames, as well as details on the adware, in a Tuesday blog posting. [...]
May 13th, 2008 at 14:44
[...] Fake file names include: preview-t-3545425-changing times earth wind .mp3 and t-3545425-just got lucky.mp3. Schmugar listed more filenames, as well as details on the adware, in a Tuesday blog posting. [...]
May 13th, 2008 at 16:00
[...] tells them to download another file to operate it, that other file was Downloader-UA.h. Take a look here to see a small list of the files that direct you to download the trojan and ways to know that you [...]
May 13th, 2008 at 16:54
My computer stopped working after i tried to open my Limewire. I think one of the music or video tracks had this trojan because my Anti-Virus noted a trojan but couldn’t get rid of it. Does anyone know how to get rid of it yet?
May 13th, 2008 at 17:04
This will be all over Hulu in a few days. And that will infect a lot of people.
May 13th, 2008 at 21:36
Your print is so itsy bitsy I cannot read this page without copying it to a WP and enlarging it, and I have 20/20 corrected vision. Some of us aren’t 30 anymore. Please make your print larger.
May 14th, 2008 at 00:10
[...] incorporates all manner of potential file names. Though the BBC story includes a half-dozen, the real list of names is exhaustive to the point where it would make little sense including it here. It’s likely that that list [...]
May 14th, 2008 at 06:56
[...] have reported that trojans are hiding in MP3 files (there’s a really great and informative blog post on the site by the [...]
May 14th, 2008 at 14:00
ok so we know about the files but how do i get them off!!! i was dumb an downloaded one. i was completely unaware but learned my lesson!! my computer is going nuts. are there any known files i can delete to fix this? ive never delt with this before… ive never had a virus or spyware or anything before…but i am getting an antivirus program when i find a good one.
May 15th, 2008 at 00:55
[...] programlarıyla yayılan sahte mp3′ler birçok kullanıcı için tehlike arz ediyor. McAfee‘nin yaptığı araştırmaya göre son birkaç günde yapılan 360,000 virüs taramasının [...]
May 17th, 2008 at 18:12
[...] A McAfee que detectou o tal vírus informa que um dos arquivos falsos contém o nome de preview-t-3545425-changing times earth wind.mp3 e t-3545425-just got lucky.mp3 outros nomes e detalhes do ´virus podem ser encontrados aqui [...]
May 22nd, 2008 at 09:07
[...] programlarıyla yayılan sahte mp3′ler birçok kullanıcı için tehlike arz ediyor. McAfee‘nin yaptığı araştırmaya göre son birkaç günde yapılan 360,000 virüs taramasının [...]
May 25th, 2008 at 14:11
[...] A McAfee que detectou o tal vírus informa que um dos arquivos falsos contém o nome de preview-t-3545425-changing times earth wind.mp3 e t-3545425-just got lucky.mp3 outros nomes e detalhes do ´virus podem ser encontrados aqui [...]
June 5th, 2008 at 00:52
[...] http://www.avertlabs.com/research/bl…unning-rampant [...]
July 3rd, 2008 at 20:41
[...] “Uma vez que você execute o arquivo, ele não possui conteúdo. Você é levado para um site para instalar o ‘player’ que você realmente não precisa”, disse ele. Os nomes dos arquivos falso incluem: preview-t-3545425-changing times earth wind.mp3 e t-3545425-just got lucky.mp3. Schumgar listou mais nomes de arquivos, bem como detalhes do adware, em um post em seu blog. [...]
August 1st, 2008 at 03:09
[...] ricercatore di McAfee Craig Schmugar rende disponibili ulteriori dettagli tecnici sulla minaccia: http://www.avertlabs.com/research/blog/index.php/2008/05/06/fake-mp3s-running-rampant/ ♦ // SHARETHIS.addEntry({ title: “McAfee avvisa di stare attenti ai download MP3 o video”, [...]
August 22nd, 2008 at 16:41
Nice article. McAfee I always had to find workarounds instead of using Margin’s. margin’s are so much easier then wrapping 2-3 extra divs together and adjusting padding’s ect. so, THANK YOU
September 4th, 2008 at 03:22
[...] McAfee reckons miscreants loaded hundreds of rigged MP3 and MPEG files onto popular file-swapping services such as Limewire and eDonkey. The files are all named differently (in multiple languages) and vary in size in order to make them appear like legitimate music or video files. Attempting to play one of the malicious files will trigger the download of an application named “PLAY_MP3.exe” that serves ads onto infected Windows PCs. McAfee rates the threat “medium” risk. No other malware has received that risk rating since 2005. It advises consumers to adopt safe surfing practices, such as running up-to-date security software and taking care in downloading content from untrusted sources to avoid getting hit. A blog posting by McAfee Avert Labs threat researcher Craig Schmugar, explaining the threat in greater detail, can be found here. [...]
October 29th, 2008 at 22:01
McAfee Avert Labs reports of more than 600,000 VirusScan Online users detecting an executable trojan in what it calls the most significant malware outbreak since 2005.
Every file-sharer is hopefully well aware of the dangers of unknown executable files. The importance of this knowledge was proved again recently following a report on the McAfee Avert Labs blog that more than 600,000 McAfee VirusScan Online users detected a Trojan horse masquerading as a media file on a number of P2P and file-sharing networks.
Called the most significant malware outbreak since 2005, some 28% of the 2 million plus PCs scanned in the past 7 days are reported to be infected with the Trojan referred to as Downloader-UA.h.
——————————————————–
randall
SEO
November 1st, 2008 at 01:42
When a user attempts to load one of these MP3 and MPG files, they don’t get the music/video they were hoping for; instead they’re directed to download a file named PLAY_MP3.exe. In fact, the MP3/MPG file they downloaded was completely fake, playing no media clip what so ever.
———————————–
albert
SEO
November 7th, 2008 at 10:53
I got a virus from an MP3 of a Taravella HS Jazz Band playing Pinochio.
kp
November 10th, 2008 at 05:42
Fake file names include: preview-t-3545425-changing times earth wind .mp3 and t-3545425-just got lucky.mp3. Schmugar listed more filenames, as well as details on the adware, in a Tuesday blog posting.
Users are first asked to OK an end-user license agreement before the Trojan installs the Mirar toolbar and two other components, called FBrowsingAdvisor & SurfingEnhancer.
December 12th, 2008 at 05:14
When a user attempts to load one of these MP3 and MPG files, they don’t get the music/video they were hoping for; instead they’re directed to download a file named PLAY_MP3.exe. In fact, the MP3/MPG file they downloaded was completely fake, playing no media clip what so ever.
December 12th, 2008 at 05:15
[…] A McAfee que detectou o tal vírus informa que um dos arquivos falsos contém o nome de preview-t-3545425-changing times earth wind.mp3 e t-3545425-just got lucky.mp3 outros nomes e detalhes do ´virus podem ser encontrados aqui […]
January 12th, 2009 at 04:34
When a user attempts to load one of these MP3 and MPG files, they don’t get the music/video they were hoping for; instead they’re directed to download a file named PLAY_MP3.exe. In fact, the MP3/MPG file they downloaded was completely fake, playing no media clip what so ever.
June 13th, 2009 at 13:54
When a user attempts to load one of these MP3 and MPG files, they don’t get the music/video they were hoping for; instead they’re directed to download a file named PLAY_MP3.exe. In fact, the MP3/MPG file they downloaded was completely fake, playing no media clip what so ever.