Downloader-UA.h - John C. Kirk — LiveJournal
May. 9th, 2008
01:12 am - Downloader-UA.h
There have been a couple of virus warnings in the news today:
Half a million infections of latest Trojan (MSN)
Fake media file snares PC users (BBC)
The basic gist is that there are fake mp3/mpeg files circulating on peer-to-peer filesharing networks. I.e. if you use a program like LimeWire to download a music file or video clip, you may not actually get what you thought. Instead, when you try to play the file, it installs adware on your machine.
I'm sure that I'll have several people contacting me about this tomorrow, so how bad is it?
The news reports have given examples of the filenames. However, according to McAfee: "File sizes vary as these files are padded with nulls. The file names varies as well." So, there's no point in forwarding around the current list and saying "Avoid these files!" Instead, be careful about all the files you download. (That's the standard advice I give for hoaxes, but it applies to a genuine virus like this as well.)
McAfee updated their virus signatures yesterday (7th-May-2008), so all the machines at my company are protected against it, and I'd hope that other anti-virus software can recognise it too. So, as long as you're up to date, you should be fine (at least for this virus).
I'm not quite clear on how it works; the various websites I've been to only talk about what it does. In particular, is it an exe file which pretends to be an mp3/mpg file (assuming that you hide file extensions), or is it really a data file that somehow lures you to the fastmp3player.com website?
There's a video of the virus in action here:
Downloader-UA.h Trojan Demo from Schmooog on Vimeo.
So, you are prompted to download a file (play_mp3.exe), then you have to run that program to install the software, and accept the EULA. I'm not saying that it's legit, but it's hardly stealthy either; if you cancel the original download, you'll be safe.
Based on that, I'm guessing that the original file you downloaded isn't an exe file, otherwise they could just distribute play_mp3.exe directly (under a false name). Also, it looks as if Schmooog (the video guy) has file extensions turned on, based on his Documents menu (e.g. there are ".txt" and ".inf" suffixes for other files). However, when he opened the original file in Media Player, it gave him a warning message: "The file you are attempting to play has an extension that does not match the file format. Playing the file may result in unexpected behavior." I'm guessing that it's a different type of data file, but I don't know whether the same thing would happen in a different application (e.g. iTunes). For that matter, although play_mp3.exe is probably Windows specific, would the original download be triggered on other platforms, if it's described as a new codec or something? If anyone can try it out on a Unix box, I'd be interested to hear what happens.
I'm also not sure whether the installation is machine-wide or user-specific. It may well be that if you're running as a limited user then you'll be safe from this. (Again, that's a good idea as a general precaution.)
All in all, I'd say that there's no need to panic, but make sure you read any message boxes carefully rather than hitting "OK" as a reflex.