New Trojan Masquerades as Free MP3 Player

More than 500,000 users have detected new threat

Dark Reading Staff, Dark Reading

May 7, 2008

1 Min Read

A new, fast-spreading Trojan has been detected in more than 500,000 machines in just the last few days, McAfee Avert Labs researchers reported yesterday.

The Trojan, called Downloader-UA.h, appears to the user as a free MP3 player and/or free music files.

"When a user attempts to load one of these MP3 and MPG files, they don’t get the music/video they were hoping for -- instead they’re directed to download a file named PLAY_MP3.exe," McAfee Avert Labs said in a blog. "In fact, the MP3/MPG file they downloaded was completely fake, playing no media clip whatsoever."

In some cases, the user may click on the free MP3 ad and get a fake end user license agreement, McAfee says. If the user agrees to the "license," PlayMP3.exe from is installed.

"This is simply a browser control wrapped in an [executable file], and doesn’t actually play local MP3 files, but rather loads a Webpage running the Wimpy MP3 Flash player," McAfee says. "This page lets the user listen to a canned selection of a couple dozen songs." Unfortunately, the user also ends up with a bunch of hidden adware, McAfee says.

The Trojan has been detected by more than a third of McAfee's users, the blog says.

"In the end you’re left with a fake MP3 file taking up space, a worthless MP3 player, adware that claims not only to not display popups, but also to block them, and more adware that successfully displays popup and popunder ads," the researchers say.

— Tim Wilson, Site Editor, Dark Reading

About the Author(s)

Dark Reading Staff

Dark Reading

Dark Reading is a leading cybersecurity media site.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights