Bookmark site
Bookmark page
Make homepageLike This Post, Get Updates By Email:
3wPlayer Malware Infected Torrent's Spreading On P2P Networks
Submitted by admin on Sun, 08/05/2007 - 08:34.
Recently Torrent sites are getting spammed by malicious torrent uploads disguised as new movie releases, torrent users are reporting that they have downloaded various videos mostly claiming to be new movie releases or TV shows only to be confronted with a short video which advises them to download a new media player called 3wPlayer to view the rest of file. The few second clip show the Url to download this malware media player 3wPlayer.
Recently Torrent sites are getting spammed by malicious torrent uploads disguised as new movie releases, torrent users are reporting that they have downloaded various videos mostly claiming to be new movie releases or TV shows only to be confronted with a short video which advises them to download a new media player called 3wPlayer to view the rest of file. The few second clip show the Url to download this malware media player 3wPlayer.
The player installs a form of CIDHELP malware which is very hard to get rid of, The only solution to this problem is to make the user aware of this kind of tactic and reporting any such torrent to the torrent website for removal.
UPDATE:
USAGE: decoder.exe 3wPlayerencodedfilename.avi outputfilename.avi
To decrypt the underlying video data you can the following perl script.
#!/usr/bin/perl
# Turn of output buffer
$|++;
# The key for XOR decryption
my $key = 'UIERYQWORTWEHLKDNKDBISGLZNCBZCVNBADFIEYLJ' . chr(0);
print "Reading from \"$ARGV[0]\":\n";
$insize = -s $ARGV[0];
# Open the bogus AVI file
open(IN, $ARGV[0]) or die $!;
binmode IN;
# Read Header to check
read(IN, $buffer, 4);
if ($buffer ne 'RIFF') {
print " ERROR: \"$ARGV[0]\" is not an AVI\n";
close IN;
exit(1);
}
# Get Length of the unencrypted movie
read(IN, $buffer, 4);
$offset = unpack 'L', $buffer;
print " End of the unencrypted movie is at byte offset $offset\n";
# Jump to the read offset
seek(IN, $offset, 0);
# The next 4 or 8 Bytes seem to be either an unsinged long
# or an unsigned quad. This is another offset to jump
# over some filler bytes. Right now I can't really tell if
# it's 4 or 8 bytes, because I only have 1 file to test with.
# I assume it's a quad.
# low word
read(IN, $buffer, 4);
$offlo = unpack 'L', $buffer;
# high word
read(IN, $buffer, 4);
$offhi = unpack 'L', $buffer;
# Calculate offset
$offset = $offhi * 4294967296 + $offlo;
print " Offset after the unencrypted movie is $offset\n";
seek(IN, $offset, 0);
# Then there seem to be another 100 filler bytes
# with value 0xff. Jump over those too, to get
# to the offset where the real movie starts.
printf " Adding extra filler bytes, final offset is %s\n", $offset+100;
seek(IN, 100, 1);
# Update the size
$insize -= $offset+100;
# Open a file for writing the decrypted data to
print "Decrypting to \"$ARGV[1]\":\n";
open(OUT, ">$ARGV[1]");
binmode OUT;
truncate OUT, 0;
$bytes = 0;
$klen = length($key);
# Read key length bytes, decrypt them and
# write them to the output file untill you reach
# the end of the file
while ( read(IN, $buffer, $klen) ) {
$buffer ^= $key;
print OUT $buffer;
$bytes += $klen;
# print the status
if ( ( $bytes % 200000 ) == 0 )
{
printf "\r %d written (% .1f %%)", $bytes, ($bytes / $insize * 100);
}
}
# Close both files
close OUT;
close IN;
print "\n\nDONE!\n";
»
- 12569 reads
don't know how to make it work
hi i don't know how to make it work for my computer.
I don't know perl
and tell me if this file avi is decoded in perl?
and can hex editor can solve any problem??
if possible answer me at jimjamzoo@gmail.com
You need to download and
You need to download and install PERL (and as 3WPlayer only works on Windows) I'll assume you're using MS Windows. Goggle will direct you to http://www.activestate.com/Products/activeperl/ and you'll find the downloads.
PERL is a UNIX command line programming language, ActivePerl is the MS Windows verions.
Post new comment