Daily cyber threats and internet security news: network security, online safety and latest security alerts
May 6th, 2008

Fake MP3 Files Infect With Trojan And Install Adware

Recently discovered trojan detected by McAfee as Downloader-UA.h has been reported by more than 360,000 McAfee VirusScan Online users, 32% of those reporting in the past 24 hours. Downloader-UA.h offers fake music and video files associated with When users attempt to load one of these MP3 and MPG files, they’re directed to download a file named PLAY_MP3.exe. The MP3/MPG file they download is completely fake, playing no media clip what so ever. Here are some of the samples names of those fake files. Many other file names are floating around on P2P networks.

File sizes vary as these files are padded with nulls. Some of the files names are:

preview-t-3545425-changing times earth wind .mp3
preview-t-3545425-girls aloud st trinnians.mp3
preview-t-3545425-heartbroken fast t2 ft jodie.mp3
preview-t-3545425-jij bent zo jeroen van den.mp3
preview-t-3545425-meet bambi in kings harem.mp3
preview-t-3545425-middle eastern chick.mpg
preview-t-3545425-paint me bunmingham.mp3
preview-t-3545425-paralyized by you.mp3
preview-t-3545425-pull over levert.mp3
preview-t-3545425-say it right remix.mp3
preview-t-3545425-st trinnians girls aloud.mp3
preview-t-3545425-theme godfather.mp3
t-3545425-bentley bizzle.mp3
t-3545425-dx vs randi orton 2007.mpg
t-3545425-haloween special.mp3
t-3545425-just got lucky.mp3
t-3545425-lion king portugues.mpg
t-3545425-los padres de ella.mpg
t-3545425-para sayo freestyle.mp3
t-3545425-peanut butter jelly amende.mp3
t-3545425-stare at sun thrice.mp3
t-3545425-suicide bride dana.mp3
t-3545425-wayne and jane.mp3

If you agree to download and run PLAY_MP3.exe (detected as Generic PUP.a by McAfee) a 4,800 word EULA agreement is displayed. If you agree to the EULA and choose to proceed, Adware “FBrowsingAdvisor” and “SurfingEnhancer” is installed. The directory name on your computer will be:

C:Documents and SettingstaniMy DocumentsDreamsoftFirefoxfirefox_adwareFF-ourceSourceRelease

If Firefox is not installed, users will see an error message.

PlayMP3.exe that is installed from is simply a browser control wrapped in an exe, and doesn’t actually play local MP3 files, but loads a web page running the Wimpy MP3 Flash player. This page lets the user listen to a canned selection of a couple dozen songs.

In the end you’re left with a fake MP3 file taking up space, a worthless MP3 player, adware that claims not only to not display popups, but also to block them, and more adware that successfully displays popup and popunder ads.

Share this item with others:

More on CyberInsecure:
  • Sony USA PlayStation Website SQL Injected And Redirects Visitors To Fake Anti-Virus Scam
  • Government .gov Domains DNS Hijacked, Point To Adult Content And Push Adware
  • Lame Malware Attempts To Stop Global Music Piracy
  • Skype Eavesdropping Trojan Code Released By Developer
  • Fake Shooting Scam Installs Trojan

  • If you found this information useful, consider linking to it from your own website.
    Just copy and paste the code below into your website (Ctrl+C to copy)
    It will look like this: Fake MP3 Files Infect With Trojan And Install Adware

    Leave a Reply

    Comments with unsolicited links to other resources will be marked as spam. DO NOT leave links in comments. Please leave your real email, it wont be published.

    To prove you’re a person (not a spam script), type the security word shown in the picture. Click on the picture to hear an audio file of the word.