Here is a little info about the nasty 3wplayer and his friends
#65533; on: November 15, 2007, 03:32:35 PM #65533;
I found this at wikipedia
http://en.wikipedia.org/wiki/3wPlayer
3wPlayer is a rogue media player software application bundled with trojans that can infect computers running Microsoft Windows. It is designed to exploit users who download video files, instructing them to download and install the program in order to view the video. The 3wPlayer employs a form of social engineering to infect computers. Seemingly desirable video files, such as recent movies, are released via BitTorrent or other distribution channels. These files resemble conventional AVI files, but are engineered to display a message when played on most media player programs, instructing the user to visit the 3wPlayer website and download the software to view the video. The program is bundled with malware that has various undesirable effects. It has been claimed that the 3wPlayer idea was devised by the MPAA, but as of 2007 no evidence of this has been found.
The 3wPlayer is infected with Trojan.Win32.Obfuscated.en, which is typically installed without user interaction through security exploits, and can severely compromise a users system security. Such risks may open illicit network connections, use polymorphic tactics to self-mutate, disable security software, modify system files, and install additional malware. These risks may also collect and transmit personally identifiable information (PII) without a users consent and severely degrade the performance and stability of the computer.
And his friends
DivoCodec
The DivoCodec or Divo Codec has also been identified as a virus similar to 3wPlayer. Users are instructed to download the codec in order to view an AVI file.
False .avi files are easily spotted by checking the duration of the file, typical values for this virus type of shell file are 3 to 12 seconds, indicating there really is no movie/tv series despite the apparent size of the file.
Instead of actual codecs, DivoCodec installs malware on the users computer. The DivoCodec is polymorphic and can change its structure. It has also been known to write to another process virtual memory (process hijacking).
DomPlayer
The DomPlayer is similar to the DivoCodec and 3wPlayer. Users are also instructed to download the player in order to view an AVI file.
As with DivoCodec, false .avi are easily spotted because of the duration of the file, usually lying at 10-12 seconds, of which one can conclude that there is no chance that that file may be a movie/tv series, despite the size of the file.
[edit] Files and Processes Affected By 3wplayer
* %ProgramFiles%3wPlayersettings.ini
* %ProgramFiles%3wPlayersettings.stp
* %ProgramFiles%3wPlayerSkinCrafterDll.dll
* %ProgramFiles%3wPlayerskinsStylish.skf
* %ProgramFiles%3wPlayertest.gif
* %ProgramFiles%3wPlayerunins000.dat
* %ProgramFiles%3wPlayerunins000.exe
* C:Documents and SettingsAll UsersStart MenuPrograms3wPlayer3wPlayer.lnk
* C:Documents and Settings*USENAME*Local SettingsTempTemporary Internet FilesContent.IE5%ProgramFiles%3wPlayer3wPlayer.exe
* C:Documents and Settings*USENAME*Local SettingsTempTemporary Internet FilesContent.IE5%ProgramFiles%3wPlayerminime.exe
* C:Documents and Settings*USERNAME*Application DataPlay AboutBatBurnDefault.exe
* C:Documents and Settings*USERNAME*Application DataPlay Aboutpoke dale mail.exe
* C:Documents and Settings*USERNAME*Application DataPlay Aboutwpmhjiea.exe
* C:Documents and Settings*USENAME*Local SettingsTempTemporary Internet FilesContent.IE5
* C:Documents and Settings*USERNAME*Application Data"something stupid"mp3 roam.exe
You can only delete the above files via Windows Safe mode, command mode.
*Some users may find it necessary to make all system files visible to see exe virus files. It is recommended that users enter safe mode to delete files associated with 3wplayer.
So think again when the message appears on your computer
