Adware purveyors are using fake MP3 and MPG files on peer-to-peer networks to spread their wares.
More than a half million computers have been infected by a Trojan spreading
through bogus MP3 files on popular peer-to-peer networks in the past several
days, according to researchers at McAfee's Avert Labs.
McAfee first reported noticing a spike in the discovery of a Trojan known as
Downloader-UA.h on May 6. The malware was added to the McAfee DAT files May 2.
In the past seven days, the malware has been detected by McAfee VirusScan
Online on more than 530,000 computers-roughly 26 percent of the approximately 2
million scanned, according to figures posted by the company May 7. In contrast,
the next most-reported piece of malware was found on less than 6 percent of the
The Trojan is spreading through MP3 and MPG files disguised to look like
audio or video recordings. Some of the bogus file names are listed in a McAfee
blog. When downloaded, users are directed to a Web site and prompted to
download a file called PLAY_MP3.exe, McAfee researcher Craig Schmugar reported in
the company's blog.
"If users agree to download and run PLAY_MP3.exe ... a 4,800-word EULA [end-user
license agreement] is displayed," he explained. "If you agree to the EULA and
choose to proceed, adware 'FBrowsingAdvisor' and 'SurfingEnhancer' [are]
installed as described in the EULA. PlayMP3.exe from PlayMP3z.biz is installed,
which is simply a browser control wrapped in an exe, and doesn't actually play
local MP3 files, but rather loads a webpage running the Wimpy MP3 Flash
While approximately 500,000 unique systems have reported having the Trojan
on their PCs in the last few days, less than 10 percent downloaded the adware
installer from fastmp3player.com during that period, Schmugar wrote.