3wPlayer

From Wikipedia, the free encyclopedia

3wPlayer is a rogue media player software application bundled with trojans that can infect computers running Microsoft Windows. It is designed to exploit users who download video files, instructing them to download and install the program in order to view the video. The 3wPlayer employs a form of social engineering to infect computers. Seemingly desirable video files, such as recent movies, are released via BitTorrent or other distribution channels. These files resemble conventional AVI files, but are engineered to display a message when played on most media player programs, instructing the user to visit the 3wPlayer website and download the software to view the video. The program is bundled with malware that has various undesirable effects.

The 3wPlayer is infected with Trojan.Win32.Obfuscated.en, which is typically installed without user interaction through security exploits, and can severely compromise a user's system security. Such risks may open illicit network connections, use polymorphic tactics to self-mutate, disable security software, modify system files, and install additional malware. These risks may also collect and transmit personally identifiable information (PII) without a users' consent and severely degrade the performance and stability of the computer.^[1]

A perl script posted online can reportedly decrypt 3wplayer files back into AVI.^[2] This claim has been tested with mixed results, as the intended AVI file is rarely the desired video file. Users are encouraged to delete the file from their hard drive.

Antivirus software can be used to remove trojans and viruses caused by 3wPlayer.

Contents 1 DivoCodec 2 DomPlayer 3 www.TorrentMovieSupport.com 4 References 5 External links

[edit] DivoCodec

The DivoCodec or Divo Codec has also been identified as a virus similar to 3wPlayer. Users are instructed to download the codec in order to view an AVI file.

False .avi files are easily spotted by checking the duration of the file, typical values for this virus type of shell file are 3 to 12 seconds, indicating there really is no movie/tv series despite the apparent size of the file.

Instead of actual codecs, DivoCodec installs malware on the users computer. The DivoCodec is polymorphic and can change its structure. It has also been known to write to another process' virtual memory (process hijacking).^[3]

[edit] DomPlayer

The DomPlayer is similar to the DivoCodec and 3wPlayer. Users are also instructed to download the player in order to view an AVI file.

As with DivoCodec, false .avi are easily spotted because of the duration of the file, usually lying at 10-12 seconds, of which one can conclude that there is no chance that that file may be a movie/tv series, despite the size of the file. This is not always the case however, as many distributors have recently begun falsifying the files meta data to display normal durations and file sizes.

[edit] www.TorrentMovieSupport.com

Similar to the other cases, playing a movie file leads the user to an online link with undesirable results.

[edit] References

1. ^ Trojan.Win32.Obfuscated.en
2. ^ Mininova Forum: 3wplayer and the like..., accessed on 10/3/07
3. ^ DIVOCODEC-1.3.0.0-SETUP-0717[1].EXE, Prevx

[edit] External links

• BitTorrent Malware Spreads to Media Players
• Symantec security briefing
• Clears the avi file from any player related data
• Same as above, just with a little explanation (removes the faulty header from avi files)