Fake MP3 Trojan Detected On 27% Of PCs

McAfee Avert Labs says more than half a million of the adware programs disguised as media files have been detected in less than a week.
Since Friday, more than half a million Trojan horse programs disguised as media files have been detected on consumer PCs, according to McAfee Avert Labs.

"This is one of the most prevalent pieces of malware in the last three years," said Craig Schmugar, a McAfee Avert Labs researcher, in an e-mailed statement. "We have never before had a threat this significant that arrives as a media file."

The Trojan malware, Downloader-UA.h, was added to the McAfee database several days ago. In the past 24 hours, it has been detected by McAfee VirusScan Online on more than 119,000 computers out of almost 436,000 scanned, an infection rate of 27%. Other malware McAfee is tracking exhibits an infection rate in the 1% to 5% range.

The malware does not affect computers running Mac OS X.

The malicious media files appear to be either MP3 audio files or MPEG video files and can be found on file-sharing services like LimeWire and eDonkey. McAfee believes they were placed there by cybercriminals.

When a user tries to play one of the infected media files, he or she is prompted to download a file called PLAY_MP3.exe, Schmugar explained in a blog post. The file does not contain music or video as advertised. Rather, the Trojan program -- Downloader-UA.h -- presents users with an end-user license agreement. If the user agrees to the terms set forth in the 4,800-word EULA, he or she consents to the installation of NetNucleus' Mirar Toolbar adware, and the Trojan downloads the adware "FBrowsingAdvisor" and "SurfingEnhancer," which serve pop-up and pop-under ads.

"In the end you're left with a fake MP3 file taking up space, a worthless MP3 player, adware that claims not only to not display popups, but also to block them, and more adware that successfully displays popup and popunder ads," Schmugar wrote.

In December 2006, NetNucleus threatened to sue security company Sunbelt Software for categorizing its Mirar software as adware. Mirar, the company insisted in a letter, "is a bona fide search tool that collects keywords from Web sites to direct users towards similarly themed sites." A month later, Sunbelt's attorney responded, insisting in a letter that Mirar's designation as adware was accurate.

Editors' Choice
Ericka Chickowski, Contributing Writer, Dark Reading
Lorna Mitchell, Head of Developer Relations, Aiven