SHARE
THIS ON

Facebook Twitter Google Plus

Adware.PlayMP3z.B

HIGH
HIGH
aprox 300 kb
()

Symptoms

  1. This adware usually disguises itself as an "codec" for viewing or listening to media files. It states that without this product the user can't access the wanted file. A sample of this kind of strategy of spreading is explained here .
  2. A window pops up while the user tries to access a certain kind of exploited media file with the title "Play Free MP3s" . It has a checkbox to validate the users choice of the products EULA to a company named "Media Holding Enterprises" . This piece of malware downloads other such adware as : Adware.PornPro.A, Adware.Netnucleus.B or different versions of Adware.Mirar .


Here is a snapshot of how the malware looks.

Removal instructions:

Please let BitDefender disinfect your files.

Analyzed By

Daniel Chipiristeanu, virus researcher

Technical Description:

This application is meant to "collect" personal information from the clients computer and use it in marketing or suspicious practices. When executed the adware displays a pop-up with the EULA (as seen in the above screenshot).

After the user clicks "I Agree" the software installs or downloads these files :

  • %Temp%\Mirar_V55_876933_LOG_IESC_AFF_ATD_TID_noMDNS_RPT_AVM.exe
  • %Temp%\tem2.tmp.exe
  • %Temp%\tem6.tmp.exe
  • %Temp%\temA.tmp.exe
  • %Temp%\temB.tmp.exe
  • %Start Menu%\Programs\PlayMP3z\Run PlayMP3z.lnk
  • %Program Files%\BrowsingAdvisor\BrowsingAdvisor-1.dll
  • %Program Files%\BrowsingAdvisor\pcre3.dll
  • %Program Files%\BrowsingAdvisor\uninstall.exe
  • %Program Files%\PlayMP3z\PlayMP3.exe
  • %Program Files%\PlayMP3z\uninstall.exe
  • %Program Files%\Search Spider\DownloadGnutella.exe
  • %Program Files%\Search Spider\SpiderUpdate.exe
  • %Program Files%\Search Spider\SearchSpider.dll
  • %system32%\WinNB55.dll
It also creates these registry entries:
  • HKEY_CURRENT_USER\Software\Mirar
  • HKEY_CURRENT_USER\Software\BrowsingAdvisor
  • HKEY_CURRENT_USER\Software\MediaHoldings
  • HKEY_CURRENT_USER\Software\PlayMP3
  • HKEY_CURRENT_USER\Software\SearchSpider
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BrowsingAdvisor.BrowserWatcher
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BrowsingAdvisor.PornPro_BHO
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SearchSpider.SpiderBHO
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SearchSpider.SpiderBar
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\searchspider
  • HKEY_LOCAL_MACHINE\SOFTWARE\RelatedPageInstall
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\searchspidersvc

The installed files are detected by BitDefender as Adware.PornPro.A, Adware.Netnucleus.B or different versions of Adware.Mirar.

From the EULA we can notice the sort of private information collector that the adware is ( from the chapter "Permissions You Grant Us" - this is actually a chunk of the malware EULAs and the italic selected text could help the user understand the kind of threat the software represents for his privacy) :

1) You grant Media Holding Enterprises the right to collect, retain and analyze all information pertaining to the use of your computer. This may include, but is not limited to, information and data regarding the use and surfing of the Internet; Internet browsing habits; URLs accessed and/or visited; other Licensed Materials packages that may have installed; search keywords; links, banners and/or ads clicked; domain names; Internet Service Provider information; Dynamic Host Configuration Protocol and Internet Protocol (static or dynamic) addresses; and/or the duration and number of visit(s) to websites and pages (collectively the "Information").  With respect to any Information gathered by the Licensed Materials, you agree that Media Holding Enterprises may use such Information for its business purposes, including, but not limited to; product support; Internet surfing trends and analysis; Information aggregation; pattern and geographic analysis; marketing, and development; both for ourselves and for third parties. You grant us the express permission to share and/or sell any of the Information we collect with 3rd Parties

2) Upon installation and/or registration of the Licensed Materials, you grant to Media Holding Enterprises your express permission to contact you with important information about your account and updates to our services, policies and business practices. You have the option to choose not to be contacted by uninstalling the Licensed Materials. If any information you provide to Media Holding Enterprises is incomplete or inaccurate, we have the right to terminate your license and ability to use the Licensed Materials.

3) You grant to Media Holding Enterprises your express permission to augment your Internet search results with context-sensitive advertising, to provide a specialized toolbar for targeted marketing and search results, to install icons for advertising link/launchers; all to work in conjunction with and as an enhancement to your present Internet browser technology.

4) You grant to Media Holding Enterprises your express permission to deliver to you, as part of the functionality of the Licensed Materials: a) URL based pop-up and pop-under advertising or search-relevant links b) error page helpers for DNS and 404 page errors c) the delivery and automatic installation of all updates and enhancements to the Licensed Materials d) the bundling of 3rd Party software applications with the Licensed Materials and any updates/enhancements of same.

Antivirus Software For Home Users
Business Security Solutions
Latest News
Tools & Resources