McAfee > Theat Center > Virus Detail Page

Overview

--- Update May 6th, 2008 --
Due to an increase in prevalence being seen by our VirusScan Online Customers, the risk assessment of this threat was upgraded to Medium for Home Users and Low Profiled for Corporate Users.

Downloader-UA.h trojans are fake music and video files associated with fastmp3player.com.

Characteristics

Downloader-UA.h trojans are fake music and video files associated with fastmp3player.com.

File sizes vary as these files are padded with nulls. The file names varies as well. Here are some of the samples file names. 

preview-t-3545425-adult.mpg
preview-t-3545425-changing times earth wind .mp3
preview-t-3545425-girls aloud st trinnians.mp3
preview-t-3545425-heartbroken fast t2 ft jodie.mp3
preview-t-3545425-jij bent zo jeroen van den.mp3
preview-t-3545425-meet bambi in kings harem.mp3
preview-t-3545425-middle eastern chick.mpg
preview-t-3545425-paint me bunmingham.mp3
preview-t-3545425-paralyized by you.mp3
preview-t-3545425-pull over levert.mp3
preview-t-3545425-say it right remix.mp3
preview-t-3545425-st trinnians girls aloud.mp3
preview-t-3545425-theme godfather.mp3
t-3545425-bentley bizzle.mp3
t-3545425-dx vs randi orton 2007.mpg
t-3545425-haloween special.mp3
t-3545425-just got lucky.mp3
t-3545425-lion king portugues.mpg
t-3545425-los padres de ella.mpg
t-3545425-para sayo freestyle.mp3
t-3545425-peanut butter jelly amende.mp3
t-3545425-stare at sun thrice.mp3
t-3545425-suicide bride dana.mp3
t-3545425-wayne and jane.mp3

When a user attempts to load one of these MP3 and MPG files, they do not get the music/video they were hoping for; instead they are directed to download a file named PLAY_MP3.exe.  In fact, the MP3/MPG file they downloaded was completely fake, playing no media clip what so ever.

If users agree to download and run PLAY_MP3.exe (detected as Generic PUP.a with McAfee DAT files)  a 4,800 word EULA is displayed. 

If the users agree to the EULA and choose to proceed, adware "FBrowsingAdvisor" and "SurfingEnhancer" is installed as described in the EULA.

If Firefox is not installed users may see an error message:

PlayMP3.exe from PlayMP3.biz, which is installed, is simply a browser control wrapped in an exe, and doesn’t actually play local MP3 files, but rather loads a webpage running the Wimpy MP3 Flash player.  This page lets the user listen to a canned selection of a couple dozen songs.

Symptoms

• filenames listed in the above
• EULA displayed in the above

Method of Infection

Downloader-UA.h trojans are propagated through P2P networks

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

--- Update May 6th, 2008 --
Due to an increase in prevalence being seen by our VirusScan Online Customers, the risk assessment of this threat was upgraded to Medium for Home Users and Low Profiled for Corporate Users.

Downloader-UA.h trojans are fake music and video files associated with fastmp3player.com.

Characteristics

Characteristics -

Downloader-UA.h trojans are fake music and video files associated with fastmp3player.com.

File sizes vary as these files are padded with nulls. The file names varies as well. Here are some of the samples file names. 

preview-t-3545425-adult.mpg
preview-t-3545425-changing times earth wind .mp3
preview-t-3545425-girls aloud st trinnians.mp3
preview-t-3545425-heartbroken fast t2 ft jodie.mp3
preview-t-3545425-jij bent zo jeroen van den.mp3
preview-t-3545425-meet bambi in kings harem.mp3
preview-t-3545425-middle eastern chick.mpg
preview-t-3545425-paint me bunmingham.mp3
preview-t-3545425-paralyized by you.mp3
preview-t-3545425-pull over levert.mp3
preview-t-3545425-say it right remix.mp3
preview-t-3545425-st trinnians girls aloud.mp3
preview-t-3545425-theme godfather.mp3
t-3545425-bentley bizzle.mp3
t-3545425-dx vs randi orton 2007.mpg
t-3545425-haloween special.mp3
t-3545425-just got lucky.mp3
t-3545425-lion king portugues.mpg
t-3545425-los padres de ella.mpg
t-3545425-para sayo freestyle.mp3
t-3545425-peanut butter jelly amende.mp3
t-3545425-stare at sun thrice.mp3
t-3545425-suicide bride dana.mp3
t-3545425-wayne and jane.mp3

When a user attempts to load one of these MP3 and MPG files, they do not get the music/video they were hoping for; instead they are directed to download a file named PLAY_MP3.exe.  In fact, the MP3/MPG file they downloaded was completely fake, playing no media clip what so ever.

If users agree to download and run PLAY_MP3.exe (detected as Generic PUP.a with McAfee DAT files)  a 4,800 word EULA is displayed. 

If the users agree to the EULA and choose to proceed, adware "FBrowsingAdvisor" and "SurfingEnhancer" is installed as described in the EULA.

If Firefox is not installed users may see an error message:

PlayMP3.exe from PlayMP3.biz, which is installed, is simply a browser control wrapped in an exe, and doesn’t actually play local MP3 files, but rather loads a webpage running the Wimpy MP3 Flash player.  This page lets the user listen to a canned selection of a couple dozen songs.

Symptoms

Symptoms -

• filenames listed in the above
• EULA displayed in the above

Method of Infection

Method of Infection -

Downloader-UA.h trojans are propagated through P2P networks

Removal -

Removal -

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A