3wPlayer

Last updated

3wPlayer is malware that disguises itself as a Media player. It can infect computers running Microsoft Windows. It is designed to exploit users who download video files, instructing them to download and install the program in order to view the video. The 3wPlayer employs a form of social engineering to infect computers. Seemingly desirable video files, such as recent movies, are released via BitTorrent or other distribution channels. These files resemble conventional AVI files, but are engineered to display a message when played on most media player programs, instructing the user to visit the 3wPlayer website and download the software to view the video.

Contents

The 3wPlayer is infected with Trojan.Win32.Obfuscated.en [1] According to Symantec, 3wPlayer "may download" a piece of adware they refer to as Adware.Lop, [2] which "adds its own toolbar and search button to Internet Explorer". [3]

A Perl script posted online can reportedly decrypt 3wplayer files back into AVI. [4] This claim has been tested with mixed results, as the intended AVI file is rarely the desired video file. Some developers have made an application [5] to automatically identify 3wPlayer encrypted files.

Clones

There are multiple 3wPlayer clones:

DivoCodec and X3Codec

The DivoCodec or Divo Codec or X3Codec has also been identified as a trojan similar to 3wPlayer. Users are instructed to download the codec in order to view or play an AVI/MP4/MP3/WMA file, often downloaded via P2P programs.

Instead of actual codecs, DivoCodec installs malware on the users computer. The DivoCodec is polymorphic and can change its structure. It has also been known to write to another process' virtual memory (process hijacking).

DomPlayer

The DomPlayer is similar to the DivoCodec and 3wPlayer. Users are also instructed to download the player in order to view an AVI file.

As with DivoCodec, false .avi are easily spotted because of the duration of the file, usually lying at 10–12 seconds, of which one can conclude that there is no chance that that file may be a film/TV series, despite the size of the file. This is not always the case however, as many distributors have recently begun falsifying the file meta data to display normal durations and file sizes.

x3 player

x3 player is similar to DomPlayer, and instructs users to download this player to view the avi file. Also circulated is a 5-second ASF video which is disguised as an MP3 file instructing users to install this player.

Related Research Articles

A codec is a device or computer program that encodes or decodes a data stream or signal. Codec is a portmanteau of coder/decoder.

Malware is any software intentionally designed to cause disruption to a computer, server, client, or computer network, leak private information, gain unauthorized access to information or systems, deprive access to information, or which unknowingly interferes with the user's computer security and privacy. Researchers tend to classify malware into one or more sub-types.

In computing, a Trojan horse is any malware that misleads users of its true intent by disguising itself as a standard program. The term is derived from the ancient Greek story of the deceptive Trojan Horse that led to the fall of the city of Troy.

<span class="mw-page-title-main">Timeline of computer viruses and worms</span> Computer malware timeline

This timeline of computer viruses and worms presents a chronological timeline of noteworthy computer viruses, computer worms, Trojan horses, similar malware, related research and events.

The Vundo Trojan is either a Trojan horse or a computer worm that is known to cause popups and advertising for rogue antispyware programs, and sporadically other misbehavior including performance degradation and denial of service with some websites including Google and Facebook. It also is used to deliver other malware to its host computers. Later versions include rootkits and ransomware.

Trojan.Emcodec.E is a trojan horse that is mis-represented as an audio and video codec for Windows-based PCs. It exists in various variants with names such as Media Codec, Ecodec, Imediacodec, IntCodec, Pcodec, SVideocodec, Video iCodec, QualityCodec, Vcodec, Zip Codec, zCodec, ZCODEC and began to be widely used in spring 2005.

Rogue security software is a form of malicious software and internet fraud that misleads users into believing there is a virus on their computer and aims to convince them to pay for a fake malware removal tool that actually installs malware on their computer. It is a form of scareware that manipulates users through fear, and a form of ransomware. Rogue security software has been a serious security threat in desktop computing since 2008. An early example that gained infamy was SpySheriff and its clones, such as Nava Shield.

<span class="mw-page-title-main">SpySheriff</span> Spyware

SpySheriff is malware that disguises itself as anti-spyware software. It attempts to mislead the user with false security alerts, threatening them into buying the program. Like other rogue antiviruses, after producing a list of false threats, it prompts the user to pay to remove them. The software is particularly difficult to remove, since it nests its components in System Restore folders, and also blocks some system management tools. However, SpySheriff can be removed by an experienced user, antivirus software, or by using a rescue disk.

<span class="mw-page-title-main">Storm Worm</span> Backdoor Trojan horse found in Windows

The Storm Worm is a phishing backdoor Trojan horse that affects computers using Microsoft operating systems, discovered on January 17, 2007. The worm is also known as:

The Zlob Trojan, identified by some antiviruses as Trojan.Zlob, is a Trojan horse which masquerades as a required video codec in the form of ActiveX. It was first detected in late 2005, but only started gaining attention in mid-2006.

VirusHeat is malware that disguises itself as a legitimate anti-virus program. VirusHeat tricks users into buying the full version of the program through repeated false alerts and popups, purporting to alert the user that there is a system error or they are infected, and must buy the full version to remove. It was launched on February 8, 2008.

aXXo Alias of an unidentified internet pirate

aXXo is the Internet alias of an individual who released and standardized commercial film DVDs as free downloads on the Internet between 2005 and 2009. The files, which were usually new films, were popular among the file sharing community using peer-to-peer file sharing protocols such as BitTorrent. A download-tracking firm BigChampagne found — in a sampling period in late 2008 — that almost 33.5% of all movie downloads were aXXo torrents. aXXo encoded files to approximately 700 MB – the same size for a compact disc. Due to the re-encoded quality of an aXXo file, the suffix "aXXo" was often used by imitators.

Koobface is a network worm that attacks Microsoft Windows, Mac OS X, and Linux platforms. This worm originally targeted users of networking websites like Facebook, Skype, Yahoo Messenger, and email websites such as GMail, Yahoo Mail, and AOL Mail. It also targets other networking websites, such as MySpace, Twitter, and it can infect other devices on the same local network. Technical support scammers also fraudulently claim to their intended victims that they have a Koobface infection on their computer by using fake popups and using built-in Windows programs.

OpenCandy was an adware module and a potentially unwanted program classified as malware by many anti-virus vendors. They flagged OpenCandy due to its undesirable side-effects. It was designed to run during installation of other desired software. Produced by SweetLabs, it consisted of a Microsoft Windows library incorporated in a Windows Installer. When a user installed an application that had bundled the OpenCandy library, an option appeared to install software it recommended based on a scan of the user's system and geolocation. Both the option and offers it generated were selected by default and would be installed unless the user unchecked them before continuing with the installation.

The RSPlug Trojan horse, a form of DNSChanger, is malware targeting the Mac OS X operating system. The first incarnation of the trojan, OSX.RSPlug.A, was discovered on October 30, 2007 by Mac security researchers at Intego.

Alureon is a trojan and rootkit created to steal data by intercepting a system's network traffic and searching for banking usernames and passwords, credit card data, PayPal information, social security numbers, and other sensitive user data. Following a series of customer complaints, Microsoft determined that Alureon caused a wave of BSoDs on some 32-bit Microsoft Windows systems. The update, MS10-015, triggered these crashes by breaking assumptions made by the malware author(s).

<span class="mw-page-title-main">Genieo</span> Israeli company specializing in Mac malware

Genieo Innovation is an Israeli company, specializing in unwanted software which includes advertising and user tracking software, commonly referred to as a potentially unwanted program, adware, privacy-invasive software, grayware, or malware. They are best known for Genieo, an application of this type. They also own and operate InstallMac which distributes additional 'optional' search modifying software with other applications. In 2014, Genieo Innovation was acquired for $34 million by Somoto, another company which "bundles legitimate applications with offers for additional third party applications that may be unwanted by the user". This sector of the Israeli software industry is frequently referred to as Download Valley.

DNSChanger is a DNS hijacking Trojan. The work of an Estonian company known as Rove Digital, the malware infected computers by modifying a computer's DNS entries to point toward its own rogue name servers, which then injected its own advertising into Web pages. At its peak, DNSChanger was estimated to have infected over four million computers, bringing in at least US$14 million in profits to its operator from fraudulent advertising revenue.

Sality is the classification for a family of malicious software (malware), which infects Microsoft Windows systems files. Sality was first discovered in 2003 and has advanced to become a dynamic, enduring and full-featured form of malicious code. Systems infected with Sality may communicate over a peer-to-peer (P2P) network to form a botnet to relay spam, proxying of communications, exfiltrating sensitive data, compromising web servers and/or coordinating distributed computing tasks to process intensive tasks. Since 2010, certain variants of Sality have also incorporated rootkit functions as part of an ongoing evolution of the malware family. Because of its continued development and capabilities, Sality is considered one of the most complex and formidable forms of malware to date.

A potentially unwanted program (PUP) or potentially unwanted application (PUA) is software that a user may perceive as unwanted or unnecessary. It is used as a subjective tagging criterion by security and parental control products. Such software may use an implementation that can compromise privacy or weaken the computer's security. Companies often bundle a wanted program download with a wrapper application and may offer to install an unwanted application, and in some cases without providing a clear opt-out method. Antivirus companies define the software bundled as potentially unwanted programs which can include software that displays intrusive advertising (adware), or tracks the user's Internet usage to sell information to advertisers (spyware), injects its own advertising into web pages that a user looks at, or uses premium SMS services to rack up charges for the user. A growing number of open-source software projects have expressed dismay at third-party websites wrapping their downloads with unwanted bundles, without the project's knowledge or consent. Nearly every third-party free download site bundles their downloads with potentially unwanted software. The practice is widely considered unethical because it violates the security interests of users without their informed consent. Some unwanted software bundles install a root certificate on a user's device, which allows hackers to intercept private data such as banking details, without a browser giving security warnings. The United States Department of Homeland Security has advised removing an insecure root certificate, because they make computers vulnerable to serious cyberattacks. Software developers and security experts recommend that people always download the latest version from the official project website, or a trusted package manager or app store.

References

  1. Trojan.Win32.Obfuscated.en Archived 2007-09-14 at the Wayback Machine .
  2. 3wPlayer - Technical Details, accessed on 2008/07/24
  3. Adware.Lop, accessed on 2008/07/24
  4. Mininova Forum: 3wplayer and the like... Archived 2008-05-26 at the Wayback Machine , accessed on 10/3/07
  5. 3WPlayer Decoder, accessed on 2013/11/11