Uno dei piu noti e ' 3wPlayer, a cui persino wikipedia dedica un articolo.
Wikipedia lo descrive come " wPlayer is a rogue media player software application bundled with trojans .. "
Questo e' il sito di 3wPlayer

Grafica curata e molti link a faq, consigli su come installare il software e rassicurazioni sull'assenza di malware nel programma.
Peccato che gia' con una scansione del file 3wPlayer- con VirusTotal emerga una situazione ben diversa:
Complete scanning result of "3wPlayer-", processed in VirusTotal at 10/17/2007 03:40:16 (CET).
[ file data ]
* name: 3wPlayer-
* size: 1201037
* md5.: bc5112820b1708c5f68a57ea65534938
* sha1: 867136b734fe3b95e4ea99f543630d81ecbf7b4a
[ scan result ]
AhnLab-V3 2007.10.17.0/20071016 found nothing
AntiVir found nothing
Authentium 4.93.8/20071016 found nothing
Avast 4.7.1051.0/20071017 found [Win32:Obfuscated-BPS]
AVG found nothing
BitDefender 7.2/20071017 found [Trojan.FatObfus.2.Gen]
CAT-QuickHeal 9.00/20071016 found nothing
ClamAV 0.91.2/20071016 found nothing
DrWeb found [Trojan.Packed.149]
eSafe found nothing
eTrust-Vet 31.2.5216/20071017 found nothing
Ewido 4.0/20071016 found nothing
F-Prot found nothing
F-Secure 6.70.13030.0/20071017 found [Trojan.Win32.Obfuscated.en]
FileAdvisor 1/20071017 found nothing
Fortinet found nothing
Ikarus T3.1.1.12/20071017 found nothing
Kaspersky found [Trojan.Win32.Obfuscated.en]
McAfee 5142/20071016 found nothing
Microsoft 1.2908/20071016 found nothing
NOD32v2 2596/20071017 found nothing
Norman 5.80.02/20071016 found nothing
Panda found nothing
Prevx1 V2/20071017 found [Heuristic: Suspicious Self Modifying File]
Rising found nothing
Sophos 4.22.0/20071017 found [Mal/Swizzor-B]
Sunbelt 2.2.907.0/20071016 found nothing
Symantec 10/20071017 found nothing
TheHacker found nothing
VBA32 found nothing
VirusBuster 4.3.26:9/20071016 found nothing
[ notes ]
Prevx info:
Come si vede e' presente il trojan win32.obfuscated responsabile tra l'altro di scaricare malware sul pc.
Queste sono alcune delle modifiche effettuate dal falso player sui contenuti dei folder del pc e del file registro:
Files and Processes Affected By 3wplayer
%ProgramFiles%\3wPlayer\settings.ini %ProgramFiles%\3wPlayer\settings.stp %ProgramFiles%\3wPlayer\SkinCrafterDll.dll %ProgramFiles%\3wPlayer\skins\Stylish.skf %ProgramFiles%\3wPlayer\test.gif %ProgramFiles%\3wPlayer\unins000.dat %ProgramFiles%\3wPlayer\unins000.exeC:\Documents and Settings\All Users\Start Menu\Programs\3wPlayer\3wPlayer.lnkC:\Documents and Settings\*USENAME*\Local Settings\Temp\Temporary Internet Files\Content.IE5\%ProgramFiles%\3wPlayer\3wPlayer.exeC:\Documents and Settings\*USENAME*\Local Settings\Temp\Temporary Internet Files\Content.IE5\%ProgramFiles%\3wPlayer\minime.exeC:\Documents and Settings\*USERNAME*\Application Data\Play About\BatBurnDefault.exeC:\Documents and Settings\*USERNAME*\Application Data\Play About\poke dale mail.exeC:\Documents and Settings\*USERNAME*\Application Data\Play About\wpmhjiea.exeC:\Documents and Settings\*USENAME*\Local Settings\Temp\Temporary Internet Files\Content.IE5\C:\Documents and Settings\*USERNAME*\Application Data\"something stupid"\mp3 roam.exe
per certi versi molto simile a questo falso player abbiamo DivoCodec; questo falso codec che praticamente contiene lo stesso malware di 3wplayer.
Questo e' uno screenshot del sito di DivoCodec:

Anche in questo caso VirusTotal evidenzia il contenuto malevolo del file DivoCodec-
Complete scanning result of "DivoCodec-", processed in VirusTotal at 10/17/2007 03:40:16 (CET).
[ file data ]
* name: DivoCodec-
* size: 627376
* md5.: b4e59b9b5556134b7923ff10f5abf001
* sha1: 472deebe085031d688caadb484eb7c7e30d43c5b
[ scan result ]
AhnLab-V3 2007.10.17.0/20071016 found nothing
AntiVir found nothing
Authentium 4.93.8/20071016 found nothing
Avast 4.7.1051.0/20071017 found [Win32:Obfuscated-BPT]
AVG found nothing
BitDefender 7.2/20071017 found [Trojan.FatObfus.2.Gen]
CAT-QuickHeal 9.00/20071016 found nothing
ClamAV 0.91.2/20071016 found nothing
DrWeb found [Trojan.Packed.149]
eSafe found nothing
eTrust-Vet 31.2.5216/20071017 found nothing
Ewido 4.0/20071016 found nothing
F-Prot found nothing
F-Secure 6.70.13030.0/20071017 found [Trojan.Win32.Obfuscated.en]
FileAdvisor 1/20071017 found nothing
Fortinet found nothing
Ikarus T3.1.1.12/20071017 found nothing
Kaspersky found [Trojan.Win32.Obfuscated.en]
McAfee 5142/20071016 found nothing
Microsoft 1.2908/20071016 found nothing
NOD32v2 2596/20071017 found nothing
Norman 5.80.02/20071016 found nothing
Panda found nothing
Prevx1 V2/20071017 found [Heuristic: Suspicious Self Modifying File]
Rising found [Trojan.Win32.Obfuscated.en]
Sophos 4.22.0/20071017 found [Troj/3WPlay-A]
Sunbelt 2.2.907.0/20071016 found nothing
Symantec 10/20071017 found nothing
TheHacker found nothing
VBA32 found nothing
VirusBuster 4.3.26:9/20071016 found nothing
Come sempre, prima di installare nuovi software non conosciuti, il consiglio e' quello di documentarsi un attimo, magari usando un motore di ricerca, per trovare qualche info in piu' su quello che si vuole installare.
Nessun commento:
Posta un commento