Megaleecher.Net

Making technology work for you...

  1. Home
  2. 3wPlayer Malware Infected Torrent's Spreading On P2P Networks

Get Your Free Subscription By Email:

3wPlayer Malware Infected Torrent's Spreading On P2P Networks

Submitted by Deepesh Agarwal on Sun, 08/05/2007 - 08:34
p2p
file-sharing
virus
malware
adware
spyware
media player
download 3wPlayer
3wPlayer review
3wPlayer
Decode 3wPlayer Files
Decode Doom Player Files


3wPlayer Media Player

Recently Torrent sites are getting spammed by malicious torrent uploads disguised as new movie releases, torrent users are reporting that they have downloaded various videos mostly claiming to be new movie releases or TV shows only to be confronted with a short video which advises them to download a new media player called 3wPlayer to view the rest of file. The few second clip show the Url to download this malware media player 3wPlayer.

The player installs a form of CIDHELP malware which is very hard to get rid of, The only solution to this problem is to make the user aware of this kind of tactic and reporting any such torrent to the torrent website for removal.


UPDATE:


Download & use this 3wplayer and similar video malware Auto-Fixer for windows to decode files (Special Direct Rapidshare Premium Link ~ 590 KB) >>

USAGE: decoder.exe 3wPlayerencodedfilename.avi outputfilename.avi

To decrypt the underlying video data you can the following perl script.

#!/usr/bin/perl
# Turn of output buffer
$|++;

# The key for XOR decryption
my $key = 'UIERYQWORTWEHLKDNKDBISGLZNCBZCVNBADFIEYLJ' . chr(0);

print "Reading from \"$ARGV[0]\":\n";
$insize = -s $ARGV[0];
# Open the bogus AVI file
open(IN, $ARGV[0]) or die $!;
binmode IN;

# Read Header to check
read(IN, $buffer, 4);
if ($buffer ne 'RIFF') {
print " ERROR: \"$ARGV[0]\" is not an AVI\n";
close IN;
exit(1);
}
# Get Length of the unencrypted movie
read(IN, $buffer, 4);
$offset = unpack 'L', $buffer;
print " End of the unencrypted movie is at byte offset $offset\n";

# Jump to the read offset
seek(IN, $offset, 0);

# The next 4 or 8 Bytes seem to be either an unsinged long
# or an unsigned quad. This is another offset to jump
# over some filler bytes. Right now I can't really tell if
# it's 4 or 8 bytes, because I only have 1 file to test with.
# I assume it's a quad.

# low word
read(IN, $buffer, 4);
$offlo = unpack 'L', $buffer;
# high word
read(IN, $buffer, 4);
$offhi = unpack 'L', $buffer;
# Calculate offset
$offset = $offhi * 4294967296 + $offlo;

print " Offset after the unencrypted movie is $offset\n";
seek(IN, $offset, 0);

# Then there seem to be another 100 filler bytes
# with value 0xff. Jump over those too, to get
# to the offset where the real movie starts.
printf " Adding extra filler bytes, final offset is %s\n", $offset+100;
seek(IN, 100, 1);

# Update the size
$insize -= $offset+100;

# Open a file for writing the decrypted data to
print "Decrypting to \"$ARGV[1]\":\n";
open(OUT, ">$ARGV[1]");
binmode OUT;
truncate OUT, 0;

$bytes = 0;
$klen = length($key);
# Read key length bytes, decrypt them and
# write them to the output file untill you reach
# the end of the file
while ( read(IN, $buffer, $klen) ) {
$buffer ^= $key;
print OUT $buffer;
$bytes += $klen;
# print the status
if ( ( $bytes % 200000 ) == 0 )
{
printf "\r %d written (% .1f %%)", $bytes, ($bytes / $insize * 100);
}
}
# Close both files
close OUT;
close IN;
print "\n\nDONE!\n";

Comments

Submitted by Anonymous (not verified) on Fri, 10/12/2007 - 17:52

hi i don't know how to make it work for my computer.
I don't know perl
and tell me if this file avi is decoded in perl?
and can hex editor can solve any problem??
if possible answer me at jimjamzoo@gmail.com

Submitted by Anonymous (not verified) on Sat, 11/10/2007 - 09:44

You need to download and install PERL (and as 3WPlayer only works on Windows) I'll assume you're using MS Windows. Goggle will direct you to http://www.activestate.com/Products/activeperl/ and you'll find the downloads.

PERL is a UNIX command line programming language, ActivePerl is the MS Windows verions.

Submitted by hview (not verified) on Fri, 08/20/2010 - 01:02

__________________________
On computers as of:
8/20/2010 at 5:57:51 AM
Last Used:
8/20/2010 at 5:59:51 AM
Startup Item:
No
Launched:
No
____________________________
High
This file risk is high.
____________________________
Threat Details
Threat type: Virus. Programs that infect other programs, files, or areas of a computer by inserting themselves or attaching themselves to that medium.
____________________________
Origin
Downloaded from http://rs344l33.rapidshare.com/files/88299177/decoder.exe
http://rs344l33.rapidshare.com/files/88299177/decoder.exe
Downloaded File from: rapidshare.com
Source: External Media
decoder.exe

____________________________
File Actions
File: d:\decoder.exe
Removed
____________________________
File Thumbprint - SHA:
Not Available
____________________________
File Thumbprint - MD5:
Not Available
____________________________

Submitted by gt (not verified) on Sun, 12/19/2010 - 05:49

Under "update" you should discontinue the web link description as an actual link. I thought you were providing a fix. Fortunately Avast! anti-virus shut down the webpage before it opened. It is a direct link to Rapidshare, a known threat. I wonder how many others were confused by finding this link on your page.

Submitted by Deepesh Agarwal on Mon, 12/20/2010 - 00:20

That is actually the utility coded by me in perl wrapped as an exe and is perfectly safe, the AV is giving a false positive because it's a perl script (popular hacking language). Here is a VirusTotal scan report with score 3/ 43 which means only three av-engine detect it as a threat out of 43 also among those two are avast products.

http://www.virustotal.com/file-scan/report.html?id=8feb3f53c980774e63cfbd0f9ed205a0aebfeca50e388d3230ae97ae2e5c51e1-1292804184

Add new comment

This is just one of the many helpful tips we have posted, You can find more stories here,
Do subscribe to updates using your favorite RSS feed reader or using the secure FeedBurner email update form on top of this post.