Detection of a trojan named Downloader-UA.h was added to the McAfee DAT files several days ago. Since that time more than 360,000 McAfee VirusScan Online users have reported detections, a whopping 32% of those reporting in the past 24 hours alone. Now Downloader-UA.h is not your everyday trojan, this detection covers fake music and video files associated with fastmp3player.com.
When a user attempts to load one of these MP3 and MPG files, they don?t get the music/video they were hoping for; instead they?re directed to download a file named PLAY_MP3.exe. In fact, the MP3/MPG file they downloaded was completely fake, playing no media clip what so ever.
Here are some of the samples names that we?ve seen. Many many other file names are surely floating around on P2P networks. File sizes vary as these files are padded with nulls.
preview-t-3545425-adult.mpg
preview-t-3545425-changing times earth wind .mp3
preview-t-3545425-girls aloud st trinnians.mp3
preview-t-3545425-heartbroken fast t2 ft jodie.mp3
preview-t-3545425-jij bent zo jeroen van den.mp3
preview-t-3545425-meet bambi in kings harem.mp3
preview-t-3545425-middle eastern chick.mpg
preview-t-3545425-paint me bunmingham.mp3
preview-t-3545425-paralyized by you.mp3
preview-t-3545425-pull over levert.mp3
preview-t-3545425-say it right remix.mp3
preview-t-3545425-st trinnians girls aloud.mp3
preview-t-3545425-theme godfather.mp3
t-3545425-bentley bizzle.mp3
t-3545425-dx vs randi orton 2007.mpg
t-3545425-haloween special.mp3
t-3545425-just got lucky.mp3
t-3545425-lion king portugues.mpg
t-3545425-los padres de ella.mpg
t-3545425-para sayo freestyle.mp3
t-3545425-peanut butter jelly amende.mp3
t-3545425-stare at sun thrice.mp3
t-3545425-suicide bride dana.mp3
t-3545425-wayne and jane.mp3
If users agree to download and run PLAY_MP3.exe (detected as Generic PUP.a with McAfee DAT files) a 4,800 word EULA is displayed.
Notable parts of the EULA include:
(3) The Licensed Materials you install will also include/be bundled with the following 3rd Party software products:
PRODUCT Mirar AND EULA
http://policy.getmirar.com/
And my favorite:
22. Effective: January 14, 2007.
END OF DOCUMENT
NetNucleus Privacy Policy/EULA
This End User License Agreement (the ?Agreement?) is a legal agreement between you and NetNucleus Corp.
Does END OF DOCUMENT mean you can ignore the rest? Gotta love it when a ?vendor? expects their ?customers? to read a EULA that they themselves did not seem to read!
If you agree to the EULA and choose to proceed, Adware ?FBrowsingAdvisor? and ?SurfingEnhancer? is installed as described in the EULA. I especially like the directory named used by the developer:
c:\Documents and Settings\tani\My Documents\Dreamsoft\Firefox\firefox_adware\FF-Source\Source\Release\XPCOMEvents.pdb
If Firefox is not installed users may see an error message:
PlayMP3.exe from PlayMP3z.biz is installed, which is simply a browser control wrapped in an exe, and doesn?t actually play local MP3 files, but rather loads a webpage running the Wimpy MP3 Flash player. This page lets the user listen to a canned selection of a couple dozen songs.
In the end you?re left with a fake MP3 file taking up space, a worthless MP3 player, adware that claims not only to not display popups, but also to block them, and more adware that successfully displays popup and popunder ads.
This entry was posted on Tuesday, May 6th, 2008 at 12:08 pm and is filed under Malware Research, Potentially Unwanted Programs. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.
16 Responses to ?Fake MP3s Running Rampant?
Blast - McAfee identifies ?Downloader-UA.h,? first medium risk malware in three years - The Online Magazine Says:
May 6th, 2008 at 5:28 pm
[?] Avert Labs reported Tuesday the most significant malware outbreak in three years with more than 500,000 detections of a [?]
Computer Security Research - McAfee Avert Labs Blog Says:
May 7th, 2008 at 3:25 am
[?] Earlier we blogged about Fake MP3s Running Rampant, mostly on P2P networks, such as Limewire. I took some time to create a video clip showing what the [?]
Rigged Vid?s on LimeWire « Ladgeful Says:
May 7th, 2008 at 5:42 am
[?] pm on May 7, 2008 | # | McAfee that a major new outbreak is infecting computers using P2P clients. [VIA] [?]
Avert Medium Threat Advisory -- Fake MP3 malware attacks - Harry Waldron - Microsoft MVP Blog Says:
May 7th, 2008 at 5:49 am
[?] avoid the site: fastmp3player (dot ) com Avert Medium Threat Advisory ? Fake MP3 malware attacks
http://www.avertlabs.com/research/blog/ ... g-rampant/ http://www.avertlabs.com/research/blog/ ... dia-files/ [?]
Avert Medium Threat Advisory -- Fake MP3 malware attacks - Harry Waldron - My IT Forums Blog Says:
May 7th, 2008 at 5:50 am
[?] avoid the site: fastmp3player (dot ) com Avert Medium Threat Advisory ? Fake MP3 malware attacks
http://www.avertlabs.com/research/blog/ ... g-rampant/ http://www.avertlabs.com/research/blog/ ... dia-files/ [?]
![View Torrent Info: [ 18] Los.Ritos.Sexuales.Del.Diablo.1982.720p.BRRip.x264.AAC-ETRG](http://images4et.com/images/torrents/5302506.jpg)
![View Torrent Info: The.Exorcist.S01E08.WEB-DL.x264-FUM[ettv]](http://images4et.com/images/torrents/5302320.jpg)
![View Torrent Info: Van.Helsing.S01E10.WEB-DL.x264-FUM[ettv]](http://images4et.com/images/torrents/5302322.jpg)
![View Torrent Info: Z.Nation.S03E10.WEB-DL.x264-FUM[ettv]](http://images4et.com/images/torrents/5302317.jpg)
![View Torrent Info: The.Vampire.Diaries.S08E05.HDTV.x264-LOL[ettv]](http://images4et.com/images/torrents/5301863.jpg)
![View Torrent Info: Force 2 (2016) 720p - DesiSCR - x264 - AC3 - [DDR]](http://images4et.com/images/torrents/5302025.jpg)
![View Torrent Info: Tum Bin 2 (2016) DesiSCR 1CDRIP x264 AAC [DDR]](http://images4et.com/images/torrents/5302495.jpg)
