About Me

Craig Schmugar

Craig Schmugar

Read More

Feeds & Podcasts

Blogs

Meet the Bloggers

Archive

Tags

#SecChat $1 million guarantee 12 Scams of Christmas access to live fraud resolution agents Acquisition Alex Thurber Android antivirus Apple botnet Channel Partners cloud security Compliance Consumer counter identity theft credit card fraud and protection credit fraud alerts credit monitoring credit monitoring and resolution critical infrastructure Cyber Security Mom cyberbullying Cybercrime cybermom data breach data center data center security Data Protection Dave DeWalt DLP Email & Web Security embedded encryption Endpoint Protection enterprise facebook fake anti-virus software Family Safety Friday Security Highlights global threat intelligence google government Hacktivism how to talk to kids how to talk to teens identity fraud identity fraud scams identity protection identity protection $1 million guarantee identity protection fraud identity protection surveillance identity surveillance identity theft identity theft expert identity theft fraud identity theft protection identity theft protection product Identity thieves and cybercriminals intel iphone kids online behavior lost wallet protection malware McAfee McAfee Channel McAfee Family Protection McAfee Identity Protection McAfee Initiative to Fight Cybercrime McAfee Labs McAfee security products Mid-Market Mobile mobile malware mobile security monitor credit and personal information Network Security online personal data protection online safety Operation Aurora PCI personal identity theft fraud personal information loss personal information protection phishing privacy proactive identity protection proactive identity surveillance Public Sector restore credit and personal identity Risk and Compliance scam scams scareware security smartphones social media social networking social networks spam Stuxnet twitter vulnerability Web 2.0 work with victim restore identity

McAfee Labs :

Yet Even More Fake Media Files

Wednesday, May 7, 2008 at 3:25am by Craig Schmugar
Craig Schmugar

Earlier we blogged about Fake MP3s Running Rampant, mostly on P2P networks, such as Gnutella used by Limewire.  I took some time to create a video clip showing what the infection process looks like.  In doing so, hundreds of additional media files were uncovered.  Most leading to the aforementioned site, freemp3player.com, but others leads to different sites distributing adware and others still pose as codec installers that when run, display fake error messages and download and silently install tons of files, including many different adware packages, such as:

Adware-BB
Adware-Beginto
Adware-Isearch
Adware-Mirar
Adware-SrchExplorer
Adware-Zeno

Domains linked to from the media files include:

mediaprovider . info
missing-codecs . com
seonomad . com
vidscentral . net

While this demo below shows that user’s must accept a EULA before proceeding, others contain no EULA.

– Update May 7 –
Adding some answers for questions that we’ve received.

These “MP3″ files are in fact ASF files that instruct media players such as Windows Media Player to navigate to a specified URL (via the default HTTP protocol handler – ie. default browser).  Not all media players support this functionality.

Our detection rates are based on a segment of VirusScan consumers who have opted-in to reporting their detections to McAfee.  Approximately 500,000 unique systems have reported having these Trojan media files on their PCs over the last few days.  However, the number of those systems that have downloaded the adware installer from fastmp3player.com during this period is less than 10% (< 50,000).

Bookmark and Share

Submit your own comments / message for this post

Your email is never published nor shared. Required fields are marked *

 

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

« Older Comments

Comments (26)

  • Colleen February 3, 2009 6:01AM

    We are only looking for the facts on this virus. No one needs to slam others who are less experienced (i.e. “.. tards get what they deserve..”).

    Reply
  • Josh May 27, 2008 3:37AM

    I actually laughed when I saw that video, it was the most obvious invasion I’ve ever seen… I agree; If people are going to go through all those steps even after downloading a 77kb “movie” (!!!!!) then they deserve to get infected. Treat downloading files as you would treat taking candy from strangers, honestly… And Matt is correct, they’ve been around for ages, so just use your common sense. And FYI people, LimeWire in and of itself isn’t dangerous (although it’s often illegally used), it’s how you USE it that can be dangerous. Only download files of a reasonable size for their extension, and DON’T USE WMP!!!

    Reply
  • Daniel Boyd May 24, 2008 8:06AM

    Hi, I am Daniel Boyd with bnr associates –we have suspended SEONomad.com from our network and forwarded the real owners information to ICANN.

    Daniel

    Reply
  • scott May 15, 2008 4:25PM

    i got hit i know i dumb, but how do i remove this virus (fake media file). can someone help me

    Reply
  • lmao May 14, 2008 12:43PM

    LMFAO idiots these days…why dont they just go download SpyFalcon?

    Reply
  • Matt May 14, 2008 9:44AM

    Those size files have been around for years. Can’t believe this is anything new.

    Reply
    • « Older Comments