The malicious MP3 music or Mpeg video files have appeared on popular file-sharing services such as Limewire and eDonkey. Firms should be concerned as employees often access such file-sharing networks on corporate machines.

So what happens?

Downloader-UA.h trojans are fake music and video files associated with fastmp3player.com. The file sizes vary as these files are padded with nulls. The file names varies as well.

When a user attempts to load one of these MP3 and MPG files, they do not get the music/video they were hoping for; instead they are directed to download a file named PLAY_MP3.exe. In fact, the MP3/MPG file they downloaded was completely fake, playing no media clip what so ever.

If users agree to download and run PLAY_MP3.exe a 4,800 word EULA is displayed. When the users agree to the EULA and choose to proceed, adware "FBrowsingAdvisor" and "SurfingEnhancer" is installed as described in the EULA.

PlayMP3.exe from PlayMP3.biz, which is installed, is simply a browser control wrapped in an exe, and doesn’t actually play local MP3 files, but rather loads a webpage running the Wimpy MP3 Flash player. This page lets the user listen to a canned selection of a couple dozen songs.

Some of the sample names used by the malicious media files include "preview-t-3545425-adult.mpg", "preview-t-3545425-changing times earth wind.mp3", "preview-t-3545425-girls aloud st trinnians.mp3", "preview-t-3545425-jij bent zo jeroen van den.mp3", "t-3545425-lion king portugues.mpg" and "t-3545425-los padres de ella.mpg". For a full list of potential filenames for the trojan see the McAfee threat assessment.