John C. Kirk (johnckirk) wrote,
John C. Kirk


There have been a couple of virus warnings in the news today:
Half a million infections of latest Trojan (MSN)
Fake media file snares PC users (BBC)

The basic gist is that there are fake mp3/mpeg files circulating on peer-to-peer filesharing networks. I.e. if you use a program like LimeWire to download a music file or video clip, you may not actually get what you thought. Instead, when you try to play the file, it installs adware on your machine.

I'm sure that I'll have several people contacting me about this tomorrow, so how bad is it?

The news reports have given examples of the filenames. However, according to McAfee: "File sizes vary as these files are padded with nulls. The file names varies as well." So, there's no point in forwarding around the current list and saying "Avoid these files!" Instead, be careful about all the files you download. (That's the standard advice I give for hoaxes, but it applies to a genuine virus like this as well.)

McAfee updated their virus signatures yesterday (7th-May-2008), so all the machines at my company are protected against it, and I'd hope that other anti-virus software can recognise it too. So, as long as you're up to date, you should be fine (at least for this virus).

I'm not quite clear on how it works; the various websites I've been to only talk about what it does. In particular, is it an exe file which pretends to be an mp3/mpg file (assuming that you hide file extensions), or is it really a data file that somehow lures you to the website?

There's a video of the virus in action here:

Downloader-UA.h Trojan Demo from Schmooog on Vimeo.

So, you are prompted to download a file (play_mp3.exe), then you have to run that program to install the software, and accept the EULA. I'm not saying that it's legit, but it's hardly stealthy either; if you cancel the original download, you'll be safe.

Based on that, I'm guessing that the original file you downloaded isn't an exe file, otherwise they could just distribute play_mp3.exe directly (under a false name). Also, it looks as if Schmooog (the video guy) has file extensions turned on, based on his Documents menu (e.g. there are ".txt" and ".inf" suffixes for other files). However, when he opened the original file in Media Player, it gave him a warning message: "The file you are attempting to play has an extension that does not match the file format. Playing the file may result in unexpected behavior." I'm guessing that it's a different type of data file, but I don't know whether the same thing would happen in a different application (e.g. iTunes). For that matter, although play_mp3.exe is probably Windows specific, would the original download be triggered on other platforms, if it's described as a new codec or something? If anyone can try it out on a Unix box, I'd be interested to hear what happens.

I'm also not sure whether the installation is machine-wide or user-specific. It may well be that if you're running as a limited user then you'll be safe from this. (Again, that's a good idea as a general precaution.)

All in all, I'd say that there's no need to panic, but make sure you read any message boxes carefully rather than hitting "OK" as a reflex.
Tags: computers, security

  • Free stuff

    I'm having another clear-out, to get rid of some of my accumulated clutter. If anyone would like any of these items (free of charge), just let me…

  • Computer exams

    I think this xkcd strip is quite true: Some people have questioned whether Randall Munroe can really claim that with authority, since he's too…

  • Full moon swims

    As I've mentioned before, I like outdoor swimming when the sun's out: the water looks very inviting when I can see the sunlight reflecting off it.…

  • Post a new comment


    Anonymous comments are disabled in this journal

    default userpic

    Your reply will be screened

    Your IP address will be recorded 

  • 1 comment