A new type of Trojan horse malware application is hiding inside fake MP3 media files, infecting approximately 500,000 consumer PCs, McAfee Avert Labs reported. The nefarious files have been delivered primarily on peer-to-peer networks during the last several days.
The trojan, known as “Downloader-UA.h,” was added to McAfee’s DAT files about a week ago. Since then, McAfee VirusScan Online users have reported the half-million detections. The trojan hides in fake music and video files and is associated with fastmp3player.com.
“When a user attempts to load one of these MP3 and MPG files, they don’t get the music/video they were hoping for; instead, they’re directed to download a file named ‘PLAY_MP3.exe,'” reports Craig Schmugar, a researcher for McAfee Avert Labs, on the Avert Labs blog. “In fact, the MP3/MPG file they downloaded was completely fake, playing no media clip whatsoever.”
Infected users receive an offer that purportedly will let them listen to free MP3s. They must agree to an End User License Agreement (EULA), which installs an ad-supported application.
“In the end you’re left with a fake MP3 file taking up space, a worthless MP3 player, adware that claims not only to not display popups, but also to block them, and more adware that successfully displays popup and popunder ads,” Schmugar reports.
Thus far, operators of just 10 percent of the 500,000-plus systems with the trojan on their PCs have gone so far as to agree to the EULA and download the adware installer.
More to the Story
While the adware in this most recent report is primarily a nuisance, the delivery mechanism could transport something much nastier.
“That led us to look for more of this type of malware to see what we could find, and we did come across a couple of domains that are serving some things that are more than a nuisance,” Schmugar told TechNewsWorld.
“Another package presents itself as a codec that you have to install in order to view video that you just downloaded — or, at least, it wants you to believe that — and once you install it, you get dozens of executables coming down, lots of different downloaders. Some restrict your use of standard tools like task manager in Windows to see what’s running, or command line tools, and you get lots of other advert packages. IE starts crashing, and you start having various system problems,” he explained.
“Plus, these downloaders could be dynamically updated — they are in control of the hackers, essentially — so if they decide to put up a password-stealing trojan at a later date, they have the ability to do so,” Schmugar added.
Standard Safe Computing Practices Apply
“Keep antivirus software up-to-date and scan your machine, repair your machine if anything is found, and keep Windows up-to-date,” Schmugar advised.
“Desktop firewall products are still good. They will alert you that a program is trying to make an outbound connection — in the case of the adware, that it’s trying to connect to other servers,” he noted.
Schmugar also recommended that consumers shouldn’t download files from any untrusted source — a mantra that’s been shouted for years in the industry, it seems. For some reason, he observed, people seem to be more comfortable downloading media files than other files or executables from untrusted sources.