Trojan Infects More Than 500,000 PCs

Adware purveyors are using fake MP3 and MPG files on peer-to-peer networks to spread their wares.

More than a half million computers have been infected by a Trojan spreading through bogus MP3 files on popular peer-to-peer networks in the past several days, according to researchers at McAfee's Avert Labs.

McAfee first reported noticing a spike in the discovery of a Trojan known as Downloader-UA.h on May 6. The malware was added to the McAfee DAT files May 2.

In the past seven days, the malware has been detected by McAfee VirusScan Online on more than 530,000 computers-roughly 26 percent of the approximately 2 million scanned, according to figures posted by the company May 7. In contrast, the next most-reported piece of malware was found on less than 6 percent of the scanned computers.

The Trojan is spreading through MP3 and MPG files disguised to look like audio or video recordings. Some of the bogus file names are listed in a McAfee blog. When downloaded, users are directed to a Web site and prompted to download a file called PLAY_MP3.exe, McAfee researcher Craig Schmugar reported in the company's blog.

"If users agree to download and run PLAY_MP3.exe ... a 4,800-word EULA [end-user license agreement] is displayed," he explained. "If you agree to the EULA and choose to proceed, adware 'FBrowsingAdvisor' and 'SurfingEnhancer' [are] installed as described in the EULA. PlayMP3.exe from is installed, which is simply a browser control wrapped in an exe, and doesn't actually play local MP3 files, but rather loads a webpage running the Wimpy MP3 Flash player."

While approximately 500,000 unique systems have reported having the Trojan on their PCs in the last few days, less than 10 percent downloaded the adware installer from during that period, Schmugar wrote.