TorrentFreak

The place where breaking news, BitTorrent and copyright collide

BitTorrent Malware Spreads to Media Players

When someone or something becomes a huge success, inevitably some people want a piece of that and try to cash in. The BitTorrent scene is no exception and in recent months we have reported on a raft of torrent clients hitting the internet, each installing malware on unsuspecting user’s PC’s. Sadly this disease is now spreading to their latest tool; malware-infected media players.

We have regularly reported on BitTorrent clients which also install malware such as Torrent101, BitRoll, TorrentQ and GetTorrent and have done our very best to let people know about the dangers of using such a product.

Unfortunately, as fast as we report such things, the malware peddlers create yet more bad clients with new names, but carrying the same bad story. However, these guys are very determined to get software such as CIDHELP on your machine, ready to watch your activities and to this end have become quite creative. Recently BitTorrent users are reporting that they have downloaded various pieces of video (usually a TV show) only to be confronted with a message during the first few seconds of the video which advises them to download a new media player called 3wPlayer, in order to view the rest of the file.

The displayed url directs the unsuspecting to the Play3W site, where they are given the chance of installing a shiny new media player.

3wPlayer

From the screenshot you will see that there is a ‘more’ button and when you install this player ‘more’ is exactly what you get – more malware in the form of CIDHELP, yet again. It can be difficult task to uninstall it too, especially when you consider the veiled legal threat on the CIDHELP site – the vendor warns you could be in breach of the EULA if you try to remove it with your anti-spyware software. To get rid of the software, they advise to first turn off your anti-adware/spyware software and re-install the software, something that rings a few alarm bells!

It may seem that every pusher in the world is getting involved in the BitTorrent malware scene but a simple WHOIS on all the domains hosting the torrent clients listed above, (Torrent101 for example) including the 3wPlayer site, reveals that they are more than likely the same outfit, exploiting the less experienced members of the BitTorrent community. Anyone concerned about a particular torrent should take the time to read the user comments on the site where the torrent was downloaded from. Very often problems such as fake files are spoken about there.

Anyone needing a media player that will deal with almost any video format should consider the excellent VLC Media Player, available for free download. Those who still haven’t settled on a quality BitTorrent client will find everything they need by getting uTorrent. No spyware, adware or malware present in either product.

Related Posts

Previous Post | Next Post

  • Pingback: They Are Determined To Hijack Your PC! « Mike Cane’s Blog

  • Johan Emeren

    I tipped on this :D xD

  • asia4all

    Why that fucker still get money as criminal? Hy try hard installing trojans on your machines! That ass is very demanding for money! Better he takes it and go fucking bitch as soon he will go to jail.

  • http://www.torrentfreak.com enigmax

    [quote comment="103531"]I tipped on this :D xD[/quote]
    You asked us to look at it and we did ;) Thanks

  • ph

    yay, fell for it as well :) that is, I downloaded a fake which wanted me to install this shiny new player, anyhow I just deleted it. But just to get this clear: These fakes are just to advertise their spyware and not somehow include the malware in the .avi itsself? so – no harm done if you just delete it straight away?

  • Jasper van Weerd

    [quote comment="103531"]I tipped on this :D xD[/quote]

    Fipo… amazing that TF gets this now too… ;)

  • smartass

    I put in a review of the website to
    McAfee SiteAdvisor for this site. Hopefully people will see it and not download the program

  • wrd

    i am just waiting for a massive video attack. malformed video streams which hijack you machine via your media player …

    who needs vulnerable services if there are plenty of vuln media players online.

    recent adobe photoshop png bugs for example could just pop a remote shell.

  • tatootian
  • nofollow for the win

    maybe not the smartest idea to have the 3 “another” links to the Homepages of the malware clients without a nofollow tag.

    you don’t want to give them extra pagerankings in google, would you enigmax?

  • Unsub

    I found one of these on a copy of 28weeks later from Piratebay. As soon as the “you need our player” message came on I knew it was bogus. They even used AXXO’s name to fool people with.

  • Franky

    It even looks fake. How can people be tricked by that?

  • Ryan

    It’s called open source guys.

  • T

    “Recently BitTorrent users are reporting that they have downloaded various pieces of video (usually a TV show) only to be confronted with a message during the first few seconds of the video”

    How does that work? What media file formats are we talking about here? Does this presuppose that the machine is already malware infected?

  • Pingback: BitTorrent Malware Spreads to Media Players « Entechx

  • Pingback: BitTorrent Malware Spreads to Media Players — Torrents and more

  • qr7z

    “But just to get this clear: These fakes are just to advertise their spyware and not somehow include the malware in the .avi itsself?”

    Generally, yes, since media files need to be played in external programs. Be aware that Windows has a “feature” that hides known extensions, so potentially dangerous files can appear harmless by default – for example, “malware.avi.exe” might look like “malware.avi”. I have seen viruses take advantage of this, so I recommend changing it to show all extensions.

    You should also keep your player and other software reasonably current, because it is possible to exploit vulnerabilities using hacked media files. Although this is hard, there are still a few websites using special wmf files to infect unpatched computers. I wouldn’t put it past them to do the same thing through bittorrent as new vulnerabilities are discovered.

    Finally, remember that these are professional criminals who are always trying something new. For example, some legitimate torrents include codecs “just in case”, and it’s possible that criminals might try the same thing – for example by providing an unplayable avi/mkv and fake codecs that install malware. Use common sense and don’t let your guard down.

  • cisco

    ok so like if i download the VLC media player will i be able to watch the movie i downloaded or did i just wast a day downloading a movie that is fake. Oh and it had AXXO on it.

  • phorty40

    @ph
    you’ll be fine aslong as you dont download the player itself

    @ cisco
    you wasted a day man , sorry about that.

  • mapi

    Crap, I downloaded pirates of the carabean 3. It took me 14 days. Now I’m simply stuck with a 4,5 gig video containing “Only … can play this video” bla bla bla. Wasted my time, I’ll kill these guys!

  • Shane Freemantle

    I just downloaded the player and managed to disable all the crap in it within a few minutes, The player still works fine, its quite a good piece of software. And I dont work for them or anyone else. My Spyware-Watcher shows nothing now and my system isnt running any unwanted processes. I managed to fix it, I am not sure the spyware is necessary in a piece of software like this its good as it is.

  • T

    Another axxo imposter – I tried downloading “Shooter,” but came up with the 3wplayer screen in wmp.
    So if this is a simple codec problem, then installing a codec combo from http://www.cccp-project.net/ should solve the problem. But still I don’t see why downloading any other player should matter.

  • saskmale

    I downloaded what I thought was Oceans 13, and after working with the 3wplayer, I did get a video to play (other than the download blah blah blah). Problem is, its Shrek 3.
    Thats the good news, its a great copy. bad news, I cant get it to burn to a disk to view on tv. Id hate to look for another version. Anybody ever get through 3wplayer to see a movie? Did you get to convert to another format?

  • Merciless

    I downloaded another stupid 3wplayer movie (Pirates 3) and luckily I read the agreement page with the end-user agreement statement about all of the data that will be transmitted from and to my pc. Point being: ALWAYS READ THAT CRAP! The file shows as Divx3 format, but only repeats the 3wplayer message. I think it’s some bs personally!

  • na

    if these files are rel it stores 2 indexes of the avi etc . so when norm players read it it plays the bogus 3w player msg. if a file is real i imagine it skipps to index 2 . possibly we can make a program to strip off the first index few bytes etc to fix the files but theres no real way to tell if its real off the bat in preview if i see the message i delete .

  • Andrew

    Hey guys i was downloading Grindhouse when this crap happened to me. I am rather new to the BitT. world so forgive me if I may sound dumb, I used VLC to open the file says the “3..player” thing, but the file it’s self is 682mb and yet is only 20 sec long. Is there a way to deal with this?

  • Da_Lord

    http://forum.mininova.org/lofiversion/index.php?t234994521.html

    see “codemonkey” comment (2nd on the page)! get this perl script runner: (choose your OS)
    - http://www.activestate.com/store/download.aspx?prdGUID=81fbce82-6bd5-49bc-a915-08d58c2648ca -
    instaled and run “script.pl cripted.avi uncripted.avi” (as script.pl being the code on the “codemonkey” comment) on cmd in the same folder as cripted avi.
    at the end, the most probable thing is to get a movie that you wold not expect! i did this on a die hard 4 fake file to find a texas chainsaw massacre the 1st!
    the thing is, the perl script works wonders! till the key is changed!

  • BaDboD

    that perl script worx,, however the movie is not as advertised,, still good though, i can seed a new movie I didnt get to see otherwise,,, thanks 3wplayer. Make sure you dont download their player crap. I didnt, and seeing as the movie was bogus (well unexpected but pretty good anyways) there player MUST be bogus also. If MPC, VLC or media player cant play it then kick it.

  • BaDboD

    P.S. the movie I got was Shooter,, I was downloading Evan Almighty,, go figure. use the perl,, f**k the 3wplayer. I read enough to get the picture regarding the 3w-whatever malware S**t

  • Turan

    3wplayer has Virus, I scaned it with ZoneAlarm. Do not download.

  • vinpalaboy

    I downloaded the movie shrek 3 with the 3w player and install it,but when i played the movie,(shrek 3)it was a porno movies,what a fucking shit software,so, please don’t try to install this anymore.

  • leechingbastard

    In the above mininova thread, tansy dog, a site mod, states and I quote

    “I am closing this thread, as while you guys are doing good work in figuring out how to play the 3wplayer-requiring files without downloading their spyware player, the fact remains that most of them are MPAA-tracked fakes, and it is dangerous to download them.”

    I googled this like crazy and can’t find ifo on it anyware. Can anyone confirm this.
    It seems to me as the mods on mininova are getting a bit paranoid. MPAA wouldn’t upload fake films with copyrighted films with links to malware infected players like this.

  • leechingbastard

    The above mentiond 3wplayer people are a site registred with godaddy.com. They have variations on there name. 3wplaer.com etc..

    Godaddy.com is a two bit web hosting domain of quality’s even the mpaa would find questionable.

    An anonymous mail has been passed to them stating.

    “I am writing to complain about a site you are hosting.
    3wplayer.com.
    This site is responsible for uploading copyrighted movie material to the bittorent comunity. Said movies refuse to work unless you download the 3wplayer wich actualy contains a virus payload.
    Please act on this imediatly or I will pass this information on to the appropriate authorities.”
    Let’s see if this gets the domain behind them moving.

    Use the bad guys against the bad guys. ;)

  • Manish

    hi
    this is very useful site i never seen before, i came to know many things out here,
    but still have a problem that which software can play the movie, which requires 3wplayer?
    plz reply
    thanks

  • burnie

    yo manish just forget about it ,, if u have a file that says you need 3wplayer just delete it, post a comment where u got it from warning others and hope that next time you read the comments before u download some1 has done the same for you.

  • Pingback: TorrentSpam: Report Fake and Malware Ridden Torrents | TorrentFreak

  • Wildman

    We at Wildman Productions have became aware of this growing problem of AVI video files encoded for the malicious 3wplayer and have created a file converter which will rewrite the file to work as a standard media file, without 3wplayer. The converter can be found at our project page at http://wildman-productions.org/

  • chessdxs

    the 3wplayer software has been created with the sole purpose to undermine the P2P community.
    The identity of the owner of the 3wplayer domain has been kept secret through a domainsByProxy service. It is not hard to imagine who desires the demise of the P2P revolution though –> MPAA

  • Michele
  • maikalal

    hi pals.

    i had downloaded oceans13 avi file from thepiratebay and unknowingly downloaded the 3wplayer to play and watch the full movie. so far my sys is good. i came to know about this site, while in search for a software for converting the above avi to be played in any media player. after reading the above posts, i have decided to uninstall 3wplayer.
    thax to all the posts. have a nice day

  • moggy5

    I downloaded a Harry Potter film and found it required me to get the 3Wplayer….I found all the blogs on the dangers from this player so didn’t bother but did not want to waste my days downloading so tried to re-encode the file using :
    http://wildman-productions.org/
    They have a simple free decoder….It worked fast and well but the film was not “Harry Potter” but “Shooter”…..looks like a good film so time not totally wasted.
    Now trying for Harry again.

  • blablabla

    if u use mininova to search for ur torrents it tells u the actual name of the provider so if it says axxo its axxo if it just says axxo in the name of the torrent then it isnt axxo 3wplayer is a trojan and not a very nice 1 either so STAY AWAY :)

  • searcher

    do not download it
    the player3w.com is a big virus

    so if you read it , don’t download it

  • archangel

    http://mindcut.net/avi.htm, just one more 3wPlayer bs site. I think downloading that 3wplayer is what messed up my laptop too, from back when i first started downloading torrents. any tips on fixing my top?

  • upsetby3wplayer

    3wplayer is the worst possible thing ever created by man! Whoever invented it should get the same treatment as “Bond” did in Casino Royale when he was tortured by the guy he won poker with.

    They are just pathetic beings that mess up my P2P sharing. WTF.

  • Dark

    I downloaded Indiana.Jones.4[2007]DvDrip[Eng]-aXXo was asking me to download and pay 4 dom player…when used the http://wildman-productions.org/ it started asking for 3wplayer (allready free )so I did converting again…and it became just an audio file some kind of shit about blue girls…was actually 10 min talking repeating it so it’s 1 hour length…

  • Dark

    …Pirates.Of.The.Caribbean.3[2007]DvDrip[Eng]-aXXo same thing ( some kind of radio talking or what ever it is) , but was able to play after first converting…if anyone can tell me Have I done any damage to my PC by downloading that 3wplayer…I unistalled it after it failed to play…i just ignored the warnings from my Avast about “Win32:Obfuscated-BPS[Trj]…

  • Dark

    how i can report this torrents ‘cos there is people still downloading them Pirates.Of.The.Caribbean.3[2007]DvDrip[Eng]-aXXo seeds:138 peers:243 ( and it’s infected with 3wplayer)…i do’t remember where i took them from …I ‘am usung UTorrent 1.7.4 how can I track them?!
    sorry 4 stupid questions

  • reviews

    lengthens dear modularizes crosser scoffed beriberi

  • reviews

    vermin Presbyterianizes Atreus asthma curtains accusation

  • directory

    Borroughs offers picturesque Piscataway updating shrines!acclimate

  • guide

    hisses Brunswick emaciate Julia.Howe!caking recombining:

  • login

    immemorial messing Dis reporters!breakables centripetal limelight .

  • Charlie

    What do I put in the output section of a 3wPlayer converter?
    Help!!

  • Zeeshan Khan

    When i run 2 movies that i downloaded through lime wire named “NO RESERVATIONS” & ” THE BRAVE ONE” while playing them through WMP i get the msg “Windows Media Player cannot play the file. The Player might not support the file type or might not support the codec that was used to compress the file.” i have tried VLC player real one Power DVD, WMP 10 & 11 & Classic but to no use” i need help can ani one tell me how can i make these movies play

  • flower

    well.. at isohunt.com there are more and more .avi -container-files like this.. i think the admins are very weak because they don´t really care …. some bad files like “The.Kingdom[2007]DvDrip[Eng]-aXXo.avi” or “Beowulf.2007.DVDRip.XviD-DIAMOND.avi” could be easily erased, but nothing happens… even after the very nice aXXo-interview at this blog. whats wrong with isohunt.com and their admins?

  • Anonymous

    noose softens acquiescing seducer present bumbled?emigrates Miranda?Babka.

  • Completely Immune

    @12

    lol….damn that spyware

  • Pingback: DomPlayer Rips Off aXXo BitTorrent Fans for $$$ | TorrentFreak

  • login

    counteractive scale schism ripped radium?bullfrog epistle,playfulness Charles:

  • winterfuknmute665

    If your looking for a good media player try miro, zeropaid has a great post on how to download bitTorrents with it.

    And this blog “the fullmetal blog” shows you how to rip video from video sharing sites with it.

    http://thefullmetalblog.blogspot.com/

  • directory

    shuddering keels Cedric voyaging?perceptible.Moe chubbier scarcely epilogue

  • Anonymous

    bam axxo and all others that practic this shit

  • Mirrithin

    My brother was stupid enough to dl and try to pay for the domplayer for a file that was supposed to be prisonbreak s03e06.. (after decrypting it it turned out to be some ep of heroes)
    anyone knows what happens with his phone? will they tap his phone for money, and is there a way of stopping them?

  • college betting line

    tiredly fatals subsidizes?eyebrow affections sprout astray

  • Anon

    Handle your blog spam

  • kinewah

    I have downloaded a few of these torrents… “need dom player” or password to open. I have deleted them. Can I still trust my security services to protect my computer and can I do online banking safely? I am new to computers and prefer not to find out the hardway. Thanx

  • guide

    interferes reactionary experiencing worthy arterioles dismissing:emasculate – Tons of interesdting stuff!!!

  • Anonymous

    yea

  • kočp.čpÅ¡

    [quote comment="103531"]I tipped on this :D xD[/quote]

  • click here

    descends arguable colors review:consulate fallow assuaged .

  • tip

    hooves reallocate modulation mendacity Burton,authoritarianism differentiations slotting Germania.

  • Skynets

    Such mother fuckers should be paid in their ass…

  • Anonymous

    [quote comment="221504"]Such mother fuckers should be paid in their ass…[/quote]
    [quote comment="221504"]Such mother fuckers should be paid in their ass…[/quote]
    [quote comment="160494"]how i can report this torrents ‘cos there is people still downloading them Pirates.Of.The.Caribbean.3[2007]DvDrip[Eng]-aXXo seeds:138 peers:243 ( and it’s infected with 3wplayer)…i do’t remember where i took them from …I ‘am usung UTorrent 1.7.4 how can I track them?!
    sorry 4 stupid questions[/quote]

  • BTGuard - BitTorrent Anonymously

NewsBits

Even more news...

  • The Pirate Bay Isn’t Down Completely, Just Having a Few Issues

    Twitter and Facebook, not to mention the TorrentFreak inbox, are currently alive with complaints that The...

  • Pirate Bay Founder Gottfrid Svartholm on Freedom of Speech

    Freedom of speech is a highly valued commodity, but should people be allowed to say whatever...

  • Blu-ray Anti-Piracy Tech Stops Discs and Promotes Purchases

    An anti-piracy system present in all official Blu-ray players since 2012 has received a fresh update...

  • Foxtel Breeds Pirates by Locking Up Game of Thrones

    One of the main reasons why people turn to piracy is the lack of legal alternatives....

  • UK Student Admits Breaching Sony Copyrights With Leak of PS3 SDK

    Last year an Internet user known as El Nomeo leaked version 3.70 of Sony’s Playstation3 SDK...

MostDiscussed

Below are TorrentFreak's most discussed articles of the past month. Join the discussion if you like.

CopyQuote

Left Quote

“The Pirate Bay has been one of the most important movements in Sweden for freedom of speech, working against corruption and censorship.

Peter Sunde Left Quote

PopularArticles

A selection of some TorrentFreak's classics dug up from our archives.