Free Malware Removal Forum

[Dino]

Detection of a trojan named Downloader-UA.h was added to the McAfee DAT files several days ago. Since that time more than 360,000 McAfee VirusScan Online users have reported detections, a whopping 32% of those reporting in the past 24 hours alone. Now Downloader-UA.h is not your everyday trojan, this detection covers fake music and video files associated with fastmp3player.com.

When a user attempts to load one of these MP3 and MPG files, they don’t get the music/video they were hoping for; instead they’re directed to download a file named PLAY_MP3.exe. In fact, the MP3/MPG file they downloaded was completely fake, playing no media clip what so ever.

Here are some of the samples names that we’ve seen. Many many other file names are surely floating around on P2P networks. File sizes vary as these files are padded with nulls.

http://www.avertlabs.com/research/blog/index.php/2008/05/06/fake-mp3s-running-rampant/

[Dakeyras]

Zero bump .

[ndmmxiaomayi]

http://vil.nai.com/images/AvertBlog_FastMP3EULA.gif

This screenshot is interesting. Wonders if installing crapware is compulsory when the user agrees to download the fake files.

[ndmmxiaomayi]

A little update - http://www.avertlabs.com/research/blog/ ... dia-files/

This comes with a video to show the infection process.

These "MP3" files are in fact ASF files that instruct media players such as Windows Media Player to navigate to a specified URL (via the default HTTP protocol handler - ie. default browser).

I don't know how is that an answer.

Do I understand that those ASF files are responsible for downloading those crapwares?

[ndmmxiaomayi]

http://vil.nai.com/images/AvertBlog_FastMP3EULA.gif

This screenshot is interesting. Wonders if installing crapware is compulsory when the user agrees to download the fake files.

Answer is in the video.