Trojans Hidden In Mp3 Format 3462kb also 5611kb

From LimeWire forums: Trojans Hidden In Mp3 Format 3462kb also 5611kb

I think it has gotten a bit out of control lately Lol

I wanted to download a file and 1 out of 2 results was the specific trojan which my AV identifies as Trojan.Click.18899.
It is very difficult at first glance to realise it's not a legit file (bit rate and some info are usually missing), so you can easilly download it.

There always used to be trojans of course, but this one has a good cover!
Take care!

 

Hi PiCo
This was briefly discussed here:
https://www.wilderssecurity.com/showthread.php?t=208594

It's a wmp exploit which shows a popup. If you click yes, something is downloaded.

 

I've seen this file size repeatedly in Limewire browsing. It tends (somehow) to mimic whatever search term has been entered. When clicked on, the media player opens, and immediately attempts to get the browser to go to the related website. Click "deny" on the firewall alert, of course.
A clue is that, unlike many legitimate files, the "browse host" button is greyed out for these files.
I always mark them as junk. They're everywhere.

 

Yes, it's a total flood situation!

 

Any such file? I will like to test it myself. Pls PM me.

Thanks

 

Simple.

Install Limewire then connect to a search of your choice.

I don't collect samples off it anymore but when i did it was chalked full of them always, and the clue was the quick download times as well as Byte Sizes, a dead give-away.

EASTER

 

Ok, that can be tried.

 

aigle, if you want it i think i got the infected file

 

Ok. Can u upload on rapishare.

Thanks

 

sent, check you pm aigle. surprisingly lot's of avs still dont' detect it. i know rising as of today didn't detect the file as infected

 

Cureit found it on my mates computer. What does this actually do?

 

Apparently if "played", it displays a popup and if you click yes, something is downloaded. But I haven't tried it.

 

@hurst

that's exactly what happens. i tested it. default deny SRP or any other anti-executable takes care of it, even if you select "yes" during the download part

 

Is the download for a codec?

 

Typical Limewire search using topical wording but same files will appear whilst searching audio files

 

Thanks, aigle, for the file.

It's a spoofed file which prompts for the download of PLay_mp3.exe.


___________________________________________________

I thought I remembered this file name, and I found it somewhere on another writeup
back in late April, and made screen shots: same file size, same URL.

Then MrBrian posted an article in early May in the other thread linked above.

See also:

http://vil.nai.com/vil/content/v_144503.htm

If you open the mp3 file in a text editor you can see the padding - it inflates
the file size so as to appear like a real audio file. If I remove all of the padding,
the file reduces from 3.38MB to 36k.


_________________________________________________________

You can also see the embedded URL:




_________________________________________________________


To download, the user has to give permission. I guess a lot of people do!

For those who use download sites like this, is it normal to be prompted for another
player in order to listen/watch an audio/video file?


--

 

No, it's not normal.
Sometimes you are asked to get codecs for video files, but never with such a popup. At least I haven't foung legit files that do that.

 

An article a few months ago described the codec exploits on porn sites.

When the user clicks on a seductive image to view the file, a popup appears
stating that you cannot view the file w/o this special codec.

Meanwhile, the image stays before your eyes. Clicking "Cancel" makes the popup
reappear. And so forth.

Well, why not? the victim thinks...

 

Thanks Rmus.

Dose AE stops copy of this spoofed mp3 file?

 

I assume so - I didn't bother trying.

Since it is an executable file, any program with this type of protection will block it.

But that is not any protection against a social engineering trick, because
anyone who wants to download it will just disable security.

An AV would be the best protection in this case, (assuming it would catch it) warning the user that something is amiss.

 

I was talking about the spoofed MP3 file, not the next download. Why one should siable his security to download an MP3 file?

 

Do you mean when I downloaded the mp3 file from you?

No, because it is not an executable file.

 

Oooops ..... I thought it has some excutable embeded.

 

after you select Yes to play the file, a browser window pops up. then a download messagebox appears. you can just select "no" and nothing happens some virus

 

Yep, i tried it. It,s like this.