Yet Even More Fake Media Files
Wednesday May 7, 2008 at 3:25 am CST
Posted by Craig Schmugar
Earlier we blogged about Fake MP3s Running Rampant, mostly on P2P networks, such as Gnutella used by Limewire. I took some time to create a video clip showing what the infection process looks like. In doing so, hundreds of additional media files were uncovered. Most leading to the aforementioned site, freemp3player.com, but others leads to different sites distributing adware and others still pose as codec installers that when run, display fake error messages and download and silently install tons of files, including many different adware packages, such as:
Adware-BB
Adware-Beginto
Adware-Isearch
Adware-Mirar
Adware-SrchExplorer
Adware-Zeno
Domains linked to from the media files include:
mediaprovider . info
missing-codecs . com
seonomad . com
vidscentral . net
While this demo below shows that user’s must accept a EULA before proceeding, others contain no EULA.
– Update May 7 –
Adding some answers for questions that we’ve received.
These “MP3″ files are in fact ASF files that instruct media players such as Windows Media Player to navigate to a specified URL (via the default HTTP protocol handler – ie. default browser). Not all media players support this functionality.
Our detection rates are based on a segment of VirusScan consumers who have opted-in to reporting their detections to McAfee. Approximately 500,000 unique systems have reported having these Trojan media files on their PCs over the last few days. However, the number of those systems that have downloaded the adware installer from fastmp3player.com during this period is less than 10% (< 50,000).
May 7th, 2008 at 06:01
[...] attacks http://www.avertlabs.com/research/blog/index.php/2008/05/06/fake-mp3s-running-rampant/ http://www.avertlabs.com/research/blog/index.php/2008/05/07/yet-even-more-fake-media-files/ [...]
May 7th, 2008 at 09:25
Limewire is NOT a network. Limewire is a client program for the Gnutella peer-to-peer network. I wish people were more educated to know the difference between the two …
May 7th, 2008 at 11:17
Re: Limewire is NOT a network.
I know, I know. I don’t usually perpetuate such ignorance, but in this case I did as people still tend to think of “networks” based on the clients (servents).
I updated the blog text to address your point.
May 8th, 2008 at 04:08
Can you please clarify as to why or how 10% of Mcafee protected computers could actually still proceed to download the malware?!
To the casual observer it appears that mcafee security software is not as secure as it needs to be, especially since the article refers to other vendors not having such a major issue with this malware.
May 8th, 2008 at 07:03
Yes, but how do you get rid of it once infected?
May 8th, 2008 at 10:44
[...] un post di aggiornamento sempre sul Avert Labs Blog, McAfee ha segnalato di aver identificato centinaia di altri file multimediali fasulli, perlopiù [...]
May 9th, 2008 at 00:35
I think it would have been helpful if McAfee added to it’s intial trojan report (that got out to all the hundreds of news sites on the net) a list of the most widespread media player softwares (with version numbers) that are susceptible to these malicious mp3 files. After reading about this trojan invasion most people ask themselves: is my PC at threat? How can they know?
Since Windows is the most widespread desktop OS on the market and probably the integrated Windows Media Player is the most widespread media player, it’d help a lot if the news on this Trojan would contain a version number of the player that is immune to these mp3 files.
Or is this a feature of WMP? I mean you pointed out that these are actually ASF files masquarading themselves as MP3. I doubt that the specification of the MP3 format allows ASF content. And as such, these MP3 files are “invalid” and should be rejected by a properly implemented player. Of course I’m just guessing around … I do not know the ins and outs of MP3s that well.
May 11th, 2008 at 20:04
As someone that knew a hacker (who warned me of P2P as the next area for virus attacks), Im not surprised that people are getting viruses this way now. before it was email & just normal internet surfing. (which in a way was harder to track). now people are getting kazaa & limewire, getting attacked, cry for help, get their PC fixed & download limewire again. How many times will this happen before folks get the picture: Dont download thru P2P! its that simple!
May 12th, 2008 at 13:43
seonomad.com belongs to Daniel Boyd of bnr Associates, a professional spam business.
May 13th, 2008 at 03:45
The days of MS-DOS are long over. Filename extensions are little more than sugar, hints at best. No “properly implemented player” would reject a media format because of a misleading filename extension. The threat would be the same if these files were correctly labeled as WMV, WMA or ASF. Most users don’t look at the filename extension anyway and few know about the dangerous features of Microsoft’s (and Apple’s) media formats. The problem isn’t P2P or the misleading filename extension. The real problem is that such a feature exists and is implemented in the first place.
This is about as bad as Microsoft’s AutoRun/AutoPlay where the reinvented the bootsector vulnerability which had almost extinct along with the floppy.
May 13th, 2008 at 14:05
Roy jones jr, Sony/BMG is that you? I wouldn’t be surprised, if beyond spreading FUD you’re also giving financial support to spammers to disrupt P2P file-sharing.
May 13th, 2008 at 15:51
Good God people must be REALLY stupid to go through all those steps to get infected. They pretty much DESERVE it.
Hmm, I’m going to go ahead and download this sweet American Pie full DVD that is SEVENTY-SEVEN KILOBITES, lol!
Then you have to agree and click OK to about 10 stupid, clearly fake install warnings.
People dumb enough to do this—-enjoy.
May 13th, 2008 at 15:54
Better question is….just spent 75.00 for Nortons 360……what are they doing to prevent this problem>?
May 13th, 2008 at 16:11
f***ing stupid people…all you have to do is look at the file size you’re downloading…if the song is less than 1000 KB, it’s probably a virus. Look at the file size of file shown in the video, it’s only 77.4 KB. DON’T USE WINDOWS MEDIA PLAYER!!!..use winamp or foobar 2000 to play your media files.
nuff said.
May 13th, 2008 at 16:18
The key hint that the file is a virus is to look at its file size. Usually, MP3 files are about 3~5MB when downloaded. The demonstration showed the downloaded file being 77kb, which is minuscule compared to 5MB (1Mb = 1000kb). If you are going to share music to other people, look for signs like this. It could save your time and your computer.
May 13th, 2008 at 17:24
how about a bearshare P2P network…does this software have also a trojan virus or a fake mp3 file that can download like the said above?
May 13th, 2008 at 17:38
Honestly, what kind of utter ‘tard do you have to be to let some unknown program install all that junk on your computer? I don’t even consider it a “trojan” because it basically tells you everything it’s going to do and you click OK to let it do it.
And what ‘tard is going to download an MP3 or MPG file that’s under 100K in size?
‘Tards deserve what they get. That’s just my opinion.
May 13th, 2008 at 18:06
How Does it affect your computer
May 13th, 2008 at 18:08
HI UM ONE TIME I DOWNLOADED A VIDEO FILE FROM LIME WIRE AND IT WAS INFECTED WITH A TROJAN HORSE MAL WARE AND I DON;T KNOW WHAT TO DO SO I HAD TO DELETE IT.WHAT HAS CAUSED THESE MAL WARE TO INFECT OUR FILES.I THINK IT’S TIME TO GET RID OF THOSE JUNK VIDEOS/FAKE VIDEOS/PORN VIDEOS PERIOD.
May 13th, 2008 at 18:17
Ok I am ignorant, and also scared of viruses. Can you still get this from downloading songs from limewire?
What’s the best way to be “safe” on limewire then?
May 13th, 2008 at 22:56
That video wasn’t very insightful or helpful or… anything.
May 14th, 2008 at 05:06
um ok well common sense people downloading is dangerous update daily if you can and scan before opening and check the extension and size most mp3s are a couple of megs and if your really concerned about this the best fool proof method is take your computer off the net by unplugging the cable then it cant download and if it don’t play delete it. next to those who say don’t use p2p Id say thats not the answer nobody said stop using email when they started attacking with that. you just like in email have to play it smart.
May 14th, 2008 at 09:44
Those size files have been around for years. Can’t believe this is anything new.
May 14th, 2008 at 12:43
LMFAO idiots these days…why dont they just go download SpyFalcon?
May 15th, 2008 at 16:25
i got hit i know i dumb, but how do i remove this virus (fake media file). can someone help me
May 24th, 2008 at 08:06
Hi, I am Daniel Boyd with bnr associates –we have suspended SEONomad.com from our network and forwarded the real owners information to ICANN.
Daniel
May 27th, 2008 at 03:37
I actually laughed when I saw that video, it was the most obvious invasion I’ve ever seen… I agree; If people are going to go through all those steps even after downloading a 77kb “movie” (!!!!!) then they deserve to get infected. Treat downloading files as you would treat taking candy from strangers, honestly… And Matt is correct, they’ve been around for ages, so just use your common sense. And FYI people, LimeWire in and of itself isn’t dangerous (although it’s often illegally used), it’s how you USE it that can be dangerous. Only download files of a reasonable size for their extension, and DON’T USE WMP!!!
February 3rd, 2009 at 06:01
We are only looking for the facts on this virus. No one needs to slam others who are less experienced (i.e. “.. tards get what they deserve..”).