BitTorrent Malware Spreads to Media Players
Written by enigmax on May 22, 2007When someone or something becomes a huge success, inevitably some people want a piece of that and try to cash in. The BitTorrent scene is no exception and in recent months we have reported on a raft of torrent clients hitting the internet, each installing malware on unsuspecting user’s PC’s. Sadly this disease is now spreading to their latest tool; malware-infected media players.
We have regularly reported on BitTorrent clients which also install malware such as Torrent101, BitRoll, TorrentQ and GetTorrent and have done our very best to let people know about the dangers of using such a product.
Unfortunately, as fast as we report such things, the malware peddlers create yet more bad clients with new names, but carrying the same bad story. However, these guys are very determined to get software such as CIDHELP on your machine, ready to watch your activities and to this end have become quite creative. Recently BitTorrent users are reporting that they have downloaded various pieces of video (usually a TV show) only to be confronted with a message during the first few seconds of the video which advises them to download a new media player called 3wPlayer, in order to view the rest of the file.
The displayed url directs the unsuspecting to the Play3W site, where they are given the chance of installing a shiny new media player.
From the screenshot you will see that there is a ‘more’ button and when you install this player ‘more’ is exactly what you get – more malware in the form of CIDHELP, yet again. It can be difficult task to uninstall it too, especially when you consider the veiled legal threat on the CIDHELP site – the vendor warns you could be in breach of the EULA if you try to remove it with your anti-spyware software. To get rid of the software, they advise to first turn off your anti-adware/spyware software and re-install the software, something that rings a few alarm bells!
It may seem that every pusher in the world is getting involved in the BitTorrent malware scene but a simple WHOIS on all the domains hosting the torrent clients listed above, (Torrent101 for example) including the 3wPlayer site, reveals that they are more than likely the same outfit, exploiting the less experienced members of the BitTorrent community. Anyone concerned about a particular torrent should take the time to read the user comments on the site where the torrent was downloaded from. Very often problems such as fake files are spoken about there.
Anyone needing a media player that will deal with almost any video format should consider the excellent VLC Media Player, available for free download. Those who still haven’t settled on a quality BitTorrent client will find everything they need by getting uTorrent. No spyware, adware or malware present in either product.
Previously: Tribler: A Next Generation BitTorrent Client?
Next: New and Promising Torrent Sites
69 Responses
I tipped on this :D xD
Why that fucker still get money as criminal? Hy try hard installing trojans on your machines! That ass is very demanding for money! Better he takes it and go fucking bitch as soon he will go to jail.
[quote comment="103531"]I tipped on this :D xD[/quote]
You asked us to look at it and we did ;) Thanks
yay, fell for it as well :) that is, I downloaded a fake which wanted me to install this shiny new player, anyhow I just deleted it. But just to get this clear: These fakes are just to advertise their spyware and not somehow include the malware in the .avi itsself? so – no harm done if you just delete it straight away?
[quote comment="103531"]I tipped on this :D xD[/quote]
Fipo… amazing that TF gets this now too… ;)
I put in a review of the website to
McAfee SiteAdvisor for this site. Hopefully people will see it and not download the program
i am just waiting for a massive video attack. malformed video streams which hijack you machine via your media player …
who needs vulnerable services if there are plenty of vuln media players online.
recent adobe photoshop png bugs for example could just pop a remote shell.
maybe not the smartest idea to have the 3 “another” links to the Homepages of the malware clients without a nofollow tag.
you don’t want to give them extra pagerankings in google, would you enigmax?
I found one of these on a copy of 28weeks later from Piratebay. As soon as the “you need our player” message came on I knew it was bogus. They even used AXXO’s name to fool people with.
It even looks fake. How can people be tricked by that?
It’s called open source guys.
“Recently BitTorrent users are reporting that they have downloaded various pieces of video (usually a TV show) only to be confronted with a message during the first few seconds of the video”
How does that work? What media file formats are we talking about here? Does this presuppose that the machine is already malware infected?
“But just to get this clear: These fakes are just to advertise their spyware and not somehow include the malware in the .avi itsself?”
Generally, yes, since media files need to be played in external programs. Be aware that Windows has a “feature” that hides known extensions, so potentially dangerous files can appear harmless by default – for example, “malware.avi.exe” might look like “malware.avi”. I have seen viruses take advantage of this, so I recommend changing it to show all extensions.
You should also keep your player and other software reasonably current, because it is possible to exploit vulnerabilities using hacked media files. Although this is hard, there are still a few websites using special wmf files to infect unpatched computers. I wouldn’t put it past them to do the same thing through bittorrent as new vulnerabilities are discovered.
Finally, remember that these are professional criminals who are always trying something new. For example, some legitimate torrents include codecs “just in case”, and it’s possible that criminals might try the same thing – for example by providing an unplayable avi/mkv and fake codecs that install malware. Use common sense and don’t let your guard down.
ok so like if i download the VLC media player will i be able to watch the movie i downloaded or did i just wast a day downloading a movie that is fake. Oh and it had AXXO on it.
@ph
you’ll be fine aslong as you dont download the player itself
@ cisco
you wasted a day man , sorry about that.
Crap, I downloaded pirates of the carabean 3. It took me 14 days. Now I’m simply stuck with a 4,5 gig video containing “Only … can play this video” bla bla bla. Wasted my time, I’ll kill these guys!
I just downloaded the player and managed to disable all the crap in it within a few minutes, The player still works fine, its quite a good piece of software. And I dont work for them or anyone else. My Spyware-Watcher shows nothing now and my system isnt running any unwanted processes. I managed to fix it, I am not sure the spyware is necessary in a piece of software like this its good as it is.
Another axxo imposter – I tried downloading “Shooter,” but came up with the 3wplayer screen in wmp.
So if this is a simple codec problem, then installing a codec combo from http://www.cccp-project.net/ should solve the problem. But still I don’t see why downloading any other player should matter.
I downloaded what I thought was Oceans 13, and after working with the 3wplayer, I did get a video to play (other than the download blah blah blah). Problem is, its Shrek 3.
Thats the good news, its a great copy. bad news, I cant get it to burn to a disk to view on tv. Id hate to look for another version. Anybody ever get through 3wplayer to see a movie? Did you get to convert to another format?
I downloaded another stupid 3wplayer movie (Pirates 3) and luckily I read the agreement page with the end-user agreement statement about all of the data that will be transmitted from and to my pc. Point being: ALWAYS READ THAT CRAP! The file shows as Divx3 format, but only repeats the 3wplayer message. I think it’s some bs personally!
if these files are rel it stores 2 indexes of the avi etc . so when norm players read it it plays the bogus 3w player msg. if a file is real i imagine it skipps to index 2 . possibly we can make a program to strip off the first index few bytes etc to fix the files but theres no real way to tell if its real off the bat in preview if i see the message i delete .
Hey guys i was downloading Grindhouse when this crap happened to me. I am rather new to the BitT. world so forgive me if I may sound dumb, I used VLC to open the file says the “3..player” thing, but the file it’s self is 682mb and yet is only 20 sec long. Is there a way to deal with this?
http://forum.mininova.org/lofiversion/index.php?t234994521.html
see “codemonkey” comment (2nd on the page)! get this perl script runner: (choose your OS)
- http://www.activestate.com/store/download.aspx?prdGUID=81fbce82-6bd5-49bc-a915-08d58c2648ca -
instaled and run “script.pl cripted.avi uncripted.avi” (as script.pl being the code on the “codemonkey” comment) on cmd in the same folder as cripted avi.
at the end, the most probable thing is to get a movie that you wold not expect! i did this on a die hard 4 fake file to find a texas chainsaw massacre the 1st!
the thing is, the perl script works wonders! till the key is changed!
that perl script worx,, however the movie is not as advertised,, still good though, i can seed a new movie I didnt get to see otherwise,,, thanks 3wplayer. Make sure you dont download their player crap. I didnt, and seeing as the movie was bogus (well unexpected but pretty good anyways) there player MUST be bogus also. If MPC, VLC or media player cant play it then kick it.
P.S. the movie I got was Shooter,, I was downloading Evan Almighty,, go figure. use the perl,, f**k the 3wplayer. I read enough to get the picture regarding the 3w-whatever malware S**t
3wplayer has Virus, I scaned it with ZoneAlarm. Do not download.
I downloaded the movie shrek 3 with the 3w player and install it,but when i played the movie,(shrek 3)it was a porno movies,what a fucking shit software,so, please don’t try to install this anymore.
In the above mininova thread, tansy dog, a site mod, states and I quote
“I am closing this thread, as while you guys are doing good work in figuring out how to play the 3wplayer-requiring files without downloading their spyware player, the fact remains that most of them are MPAA-tracked fakes, and it is dangerous to download them.”
I googled this like crazy and can’t find ifo on it anyware. Can anyone confirm this.
It seems to me as the mods on mininova are getting a bit paranoid. MPAA wouldn’t upload fake films with copyrighted films with links to malware infected players like this.
The above mentiond 3wplayer people are a site registred with godaddy.com. They have variations on there name. 3wplaer.com etc..
Godaddy.com is a two bit web hosting domain of quality’s even the mpaa would find questionable.
An anonymous mail has been passed to them stating.
“I am writing to complain about a site you are hosting.
3wplayer.com.
This site is responsible for uploading copyrighted movie material to the bittorent comunity. Said movies refuse to work unless you download the 3wplayer wich actualy contains a virus payload.
Please act on this imediatly or I will pass this information on to the appropriate authorities.”
Let’s see if this gets the domain behind them moving.
Use the bad guys against the bad guys. ;)
hi
this is very useful site i never seen before, i came to know many things out here,
but still have a problem that which software can play the movie, which requires 3wplayer?
plz reply
thanks
yo manish just forget about it ,, if u have a file that says you need 3wplayer just delete it, post a comment where u got it from warning others and hope that next time you read the comments before u download some1 has done the same for you.
We at Wildman Productions have became aware of this growing problem of AVI video files encoded for the malicious 3wplayer and have created a file converter which will rewrite the file to work as a standard media file, without 3wplayer. The converter can be found at our project page at http://wildman-productions.org/
the 3wplayer software has been created with the sole purpose to undermine the P2P community.
The identity of the owner of the 3wplayer domain has been kept secret through a domainsByProxy service. It is not hard to imagine who desires the demise of the P2P revolution though –> MPAA
Try this solution http://echeblahblah.blogspot.com/2007/08/how-to-beat-3wplayer.html
hi pals.
i had downloaded oceans13 avi file from thepiratebay and unknowingly downloaded the 3wplayer to play and watch the full movie. so far my sys is good. i came to know about this site, while in search for a software for converting the above avi to be played in any media player. after reading the above posts, i have decided to uninstall 3wplayer.
thax to all the posts. have a nice day
I downloaded a Harry Potter film and found it required me to get the 3Wplayer….I found all the blogs on the dangers from this player so didn’t bother but did not want to waste my days downloading so tried to re-encode the file using :
http://wildman-productions.org/
They have a simple free decoder….It worked fast and well but the film was not “Harry Potter” but “Shooter”…..looks like a good film so time not totally wasted.
Now trying for Harry again.
if u use mininova to search for ur torrents it tells u the actual name of the provider so if it says axxo its axxo if it just says axxo in the name of the torrent then it isnt axxo 3wplayer is a trojan and not a very nice 1 either so STAY AWAY :)
do not download it
the player3w.com is a big virus
so if you read it , don’t download it
http://mindcut.net/avi.htm, just one more 3wPlayer bs site. I think downloading that 3wplayer is what messed up my laptop too, from back when i first started downloading torrents. any tips on fixing my top?
3wplayer is the worst possible thing ever created by man! Whoever invented it should get the same treatment as “Bond” did in Casino Royale when he was tortured by the guy he won poker with.
They are just pathetic beings that mess up my P2P sharing. WTF.
I downloaded Indiana.Jones.4[2007]DvDrip[Eng]-aXXo was asking me to download and pay 4 dom player…when used the http://wildman-productions.org/ it started asking for 3wplayer (allready free )so I did converting again…and it became just an audio file some kind of shit about blue girls…was actually 10 min talking repeating it so it’s 1 hour length…
…Pirates.Of.The.Caribbean.3[2007]DvDrip[Eng]-aXXo same thing ( some kind of radio talking or what ever it is) , but was able to play after first converting…if anyone can tell me Have I done any damage to my PC by downloading that 3wplayer…I unistalled it after it failed to play…i just ignored the warnings from my Avast about “Win32:Obfuscated-BPS[Trj]…
how i can report this torrents ‘cos there is people still downloading them Pirates.Of.The.Caribbean.3[2007]DvDrip[Eng]-aXXo seeds:138 peers:243 ( and it’s infected with 3wplayer)…i do’t remember where i took them from …I ‘am usung UTorrent 1.7.4 how can I track them?!
sorry 4 stupid questions
lengthens dear modularizes crosser scoffed beriberi
vermin Presbyterianizes Atreus asthma curtains accusation
Borroughs offers picturesque Piscataway updating shrines!acclimate
hisses Brunswick emaciate Julia.Howe!caking recombining:
immemorial messing Dis reporters!breakables centripetal limelight .
What do I put in the output section of a 3wPlayer converter?
Help!!
When i run 2 movies that i downloaded through lime wire named “NO RESERVATIONS” & ” THE BRAVE ONE” while playing them through WMP i get the msg “Windows Media Player cannot play the file. The Player might not support the file type or might not support the codec that was used to compress the file.” i have tried VLC player real one Power DVD, WMP 10 & 11 & Classic but to no use” i need help can ani one tell me how can i make these movies play
well.. at isohunt.com there are more and more .avi -container-files like this.. i think the admins are very weak because they don´t really care …. some bad files like “The.Kingdom[2007]DvDrip[Eng]-aXXo.avi” or “Beowulf.2007.DVDRip.XviD-DIAMOND.avi” could be easily erased, but nothing happens… even after the very nice aXXo-interview at this blog. whats wrong with isohunt.com and their admins?
noose softens acquiescing seducer present bumbled?emigrates Miranda?Babka.
@12
lol….damn that spyware
counteractive scale schism ripped radium?bullfrog epistle,playfulness Charles:
If your looking for a good media player try miro, zeropaid has a great post on how to download bitTorrents with it.
And this blog “the fullmetal blog” shows you how to rip video from video sharing sites with it.
http://thefullmetalblog.blogspot.com/
shuddering keels Cedric voyaging?perceptible.Moe chubbier scarcely epilogue
bam axxo and all others that practic this shit
My brother was stupid enough to dl and try to pay for the domplayer for a file that was supposed to be prisonbreak s03e06.. (after decrypting it it turned out to be some ep of heroes)
anyone knows what happens with his phone? will they tap his phone for money, and is there a way of stopping them?
tiredly fatals subsidizes?eyebrow affections sprout astray
Handle your blog spam
I have downloaded a few of these torrents… “need dom player” or password to open. I have deleted them. Can I still trust my security services to protect my computer and can I do online banking safely? I am new to computers and prefer not to find out the hardway. Thanx
interferes reactionary experiencing worthy arterioles dismissing:emasculate – Tons of interesdting stuff!!!
yea
[quote comment="103531"]I tipped on this :D xD[/quote]
descends arguable colors review:consulate fallow assuaged .
hooves reallocate modulation mendacity Burton,authoritarianism differentiations slotting Germania.
Such mother fuckers should be paid in their ass…
[quote comment="221504"]Such mother fuckers should be paid in their ass…[/quote]
[quote comment="221504"]Such mother fuckers should be paid in their ass…[/quote]
[quote comment="160494"]how i can report this torrents ‘cos there is people still downloading them Pirates.Of.The.Caribbean.3[2007]DvDrip[Eng]-aXXo seeds:138 peers:243 ( and it’s infected with 3wplayer)…i do’t remember where i took them from …I ‘am usung UTorrent 1.7.4 how can I track them?!
sorry 4 stupid questions[/quote]
5 references to this post
Responses are closed
All remaining responses will continue to be archived. Use the TorrentFreak forums if you want to discuss something.