Downloader-UA.h

There have been a couple of virus warnings in the news today:
Half a million infections of latest Trojan (MSN)
Fake media file snares PC users (BBC)

The basic gist is that there are fake mp3/mpeg files circulating on peer-to-peer filesharing networks. I.e. if you use a program like LimeWire to download a music file or video clip, you may not actually get what you thought. Instead, when you try to play the file, it installs adware on your machine.

I’m sure that I’ll have several people contacting me about this tomorrow, so how bad is it?

The news reports have given examples of the filenames. However, according to McAfee: “File sizes vary as these files are padded with nulls. The file names varies as well.” So, there’s no point in forwarding around the current list and saying “Avoid these files!” Instead, be careful about all the files you download. (That’s the standard advice I give for hoaxes, but it applies to a genuine virus like this as well.)

McAfee updated their virus signatures yesterday (7th May 2008), so all the machines at my company are protected against it, and I’d hope that other anti-virus software can recognise it too. So, as long as you’re up to date, you should be fine (at least for this virus).

I’m not quite clear on how it works; the various websites I’ve been to only talk about what it does. There’s a video of the virus in action here:


Downloader-UA.h Trojan Demo from Schmooog on Vimeo.

Schmooog (the video guy) starts by downloading a file from LimeWire, which is called something like “American Pie Full Movie DVD.mpg”. However, it’s only 77 Kb, so it downloads almost instantly: this should make you suspicious, since a full length movie would be much bigger (gigabytes) and take a lot longer to download.

When he opened this file in Media Player, it gave him a warning message: “The file you are attempting to play has an extension that does not match the file format. Playing the file may result in unexpected behavior.” He was then prompted to download a file (play_mp3.exe), and he had to run that program to install the software, and accept the EULA. I’m not saying that it’s legit, but it’s hardly stealthy either; if you cancel the (second) download, you’ll be safe.

So, is the original file an application which pretends to be an mp3/mpg file, or is it really a data file that somehow lures you to the fastmp3player.com website?

If you’ve told Windows to hide extensions for known file types (the default behaviour) then “Movie.mpg.exe” will appear as “Movie.mpg”. However, it looks as if he has file extensions turned on, based on his Documents menu (e.g. there are “.txt” and “.inf” suffixes for other files), so I don’t think that’s the case here. Also, there wouldn’t be any advantage to a 2 step process: the people behind this could simply distribute play_mp3.exe directly (with a false name) rather than using this other file that prompts you to download it.

So, I’m guessing that it’s a different type of data file, but I don’t know whether the same thing would happen in a different application (e.g. iTunes). For that matter, although play_mp3.exe is probably Windows specific, would the original download be triggered on other platforms, if it’s described as a new codec or something? If anyone can try it out on a Unix box, I’d be interested to hear what happens.

I’m also not sure whether the installation is machine-wide or user-specific. It may well be that if you’re running as a limited user then you’ll be safe from this. (Again, that’s a good idea as a general precaution.)

All in all, I’d say that there’s no need to panic, but make sure you read any message boxes carefully rather than hitting “OK” as a reflex.

Edit: It looks as if the malicious files are using URL scripts, which tell Media Player to go to a particular website. This was reported as a potential vulnerability in 2002, and Microsoft have updated Media Player to change the default behaviour.

Leave a Reply

Your email address will not be published. Required fields are marked *