Don't Install Windows XP SP3 [UPDATED].. & MP3/Trojan Warning
Two alerts for readers to be aware of. The first concerns Windows XP Service Pack 3 (SP3) that was just released to the public, and the second is about fake .MP3/.MPG audio files that could end up installing an [advertising] 'Trojan' if you let it.
Windows XP Service Pack 3 (SP3) is the latest packaging of all the Windows XP Updates since the last service pack (SP2). It also includes a few enhancements. You can read a "List of fixes that are included in Windows XP Service Pack 3" here.
According to a Computerworld article "the service pack contains 1,174 individual patches and hotfixes".
Microsoft describes the enhancements this way: "This update also includes a small number of new functionalities, which do not significantly change customers’ experience with the operating system.". This MS page offers a 'white paper' that provides an "Overview of Windows XP Service Pack 3.PDF" (also available for download as ".docx" and ".xps").
The reason I'm advising users to wait is twofold.
First, it's always prudent [after the release of a service pack] to wait a little while and watch for any unforeseen issues to crop up as it encounters all the different variables out in the 'real world'.
The second reason follows:
That prudence was justified (as is often the case) when issues arose with people (who didn't wait..) who downloaded and installed XP SP3 on "...AMD-equipped PCs sold by Hewlett-Packard Co." (as reported in a Computerworld article called "XP SP3 cripples some PCs with endless reboots").
"The other problem, according to Johansson, also seems to affect only AMD machines, and involves an error message indicating trouble with the PC's BIOS. Johansson said that the ensuing recommendation to update the BIOS is "most likely not your problem," but said that the problem may be isolated to a specific motherboard. "Possibly, it is related to computers with the Asus A8N32-SLI Deluxe motherboard in them," he said."
Once XP SP3 has 'matured' a little bit, things settle down, and you want to install it, you definitely want to read this page from the Microsoft web site "Steps to take before you install Windows XP Service Pack 3". Issues like disabling your antivirus software during the half-hour install, a list of error messages you could encounter during the process, and what to do about each one are included.
There are also some issues involving Internet Explorer 6, IE7, & IE8 [beta], including the fact that if you want to be able to uninstall IE7 and go back to IE6 (after installing XP SP3) you have to uninstall IE7 before installing XP SP3.
[Update 5/19]: I have now updated both of my PCs with the XP SP3 update. Both PCs are made by HP, one with a AMD processor and the newer one an Intel Pentium D.
Both installations went smoothly and both PCs continue to run normally.
There were no issues with the HP-Intel PC to begin with, but before I updated the HP PC with the AMD processor I made sure I did one (simple) thing. I navigated to the "C:\WINDOWS\system32\drivers" folder and found the file named "intelppm.sys".
Following the directions on this HP support page I simply R-clicked on the file and renamed it "XXXintelppm.syx" (Note: In all these instructions I added the the quotation marks, so you leave them out!).
That one file is the reason there's a problem. Why HP put a Intel system file on a AMD processor-equipped system is beyond me. There's a corresponding (and correct) 'AMD' file on the system. I can't see any reason for the intelppm.sys file to be included in the software package that HP puts on their PCs equipped with AMD processors.
Another thing I don't understand is why so many problems are still being reported OR why in some articles they say that the 'fix' requires changing the computer Registry. The instructions on the HP support page I cited don't mention altering the Registry, and the XP SP3 Update went smoothly for me after following their instructions. Changing the file name stopped the file from starting, which in turn prevented the 'endless reboot' issue. Problem solved (at least in my case).
If any of you run into problems after following the HP instructions (correctly) please let me know!
The 'Fake/rogue MP3 audio file Trojan' issue is confusing even the people writing about it (including me somewhat). It looks like a .mp3/.mpg file, but it's an .asp 'streaming' file that automatically opens Internet Explorer. The McAfee Avert Labs Blog article makes references to the Firefox browser (that I don't understand fully). I'll try to clarify it as much as I can.
Thomas Claburn of InformationWeek starts his article with this:
"Since Friday, more than half a million Trojan horse programs disguised as media files have been detected on consumer PCs, according to McAfee Avert Labs."
He references Craig Schmugar at McAfee Avert Labs:
"This is one of the most prevalent pieces of malware in the last three years," said Craig Schmugar, a McAfee Avert Labs researcher, in an e-mailed statement. "We have never before had a threat this significant that arrives as a media file."
Craig Schmugar writes on McAfee Avert Labs Blog ("Fake MP3s Running Rampant"):
"When a user attempts to load one of these MP3 and MPG files, they don’t get the music/video they were hoping for; instead they’re directed to download a file named PLAY_MP3.exe. In fact, the MP3/MPG file they downloaded was completely fake, playing no media clip what so ever." [...]
Now this is why I said [at the top] "...if you let it". In order to "listen" to the audio file, you have to download and install [that] file, and you have to agree to (and click..) a EULA (End User License Agreement).
NOTE: There's an image of the EULA near the top of the McAfee Avert Labs Blog article.
"If users agree to download and run PLAY_MP3.exe (detected as Generic PUP.a with McAfee DAT files) a 4,800 word EULA is displayed."
Here's another article; "Rogue MP3 Trojan streaks across P2P networks" from John Leyden of The Register, in which he says:
[...]"The Trojan is being used to serve ads onto contaminated PCs as part of an apparent money-making scam.
McAfee reckons miscreants loaded hundreds of rigged MP3 and MPEG files onto popular file-swapping services such as Limewire and eDonkey. The files are all named differently (in multiple languages) and vary in size in order to make them appear like legitimate music or video files. Attempting to play one of the malicious files will trigger the download of an application named "PLAY_MP3.exe" that serves ads onto infected Windows PCs."
Now I originally discovered this whole issue in a SANS NewsBites Newsletter that referenced this article at the SANS Internet Storm Center [site] called "Scripts in ASF files". It's fairly technical, but basically ("it" is referring to the [supposed] audio file):
[...]"when you open it in Windows Media Player, it will immediately launch Internet Explorer which will then prompt you to download an executable file."[...] (bold emphasis mine)
Now this is where I get a bit confused.. The McAfee Avert Labs Blog doesn't say anything about Windows Media Player and Internet Explorer, it talks about Firefox. So I don't know if this issue affects people using other 'media players' or not at this point although there's a good chance that "VideoLAN VLC media player" and "Roxio Easy Media Creator" might be vulnerable as well.
I say this because when I look up the ".asf" file extension at FileInfo.net, the page mentions that the programs that 'open' .asf files are Windows Media Player, VideoLAN VLC media player, and Roxio Easy Media Creator. Another web site also connected the .asf file [format] to the Windows "Movie Maker" program.
Despite any confusion, there's a bottom line. In order to get infected by this advertising Trojan malware you have to act recklessly.
These things should tip/turn you off:
- Having to download/install a 'special player' in order to play the content. Getting people to download something in order to listen to a song or view a video is one of the old tricks online criminals use to get their nasty software (Virus/Trojan/AdWare) onto your computer! Whether it's a 'Plug-in' (like a Flash or other media type) you're alerted that "you need for the web page to work", or like in this case a "PLAY_MP3.exe", be extremely wary of anything someone you don't know wants you to install onto your computer.
There are legitimate 'plug-ins' available to view different types of content in your choice of browser. It's best to install the ones you want from trusted web sites (like the maker of the plug-in, as in Adobe Flash Player or Reader, Apple QuickTime, RealPlayer, or Windows Media Player). If you use the Firefox browser you can just go here and get the major ones all in one place.
In this case it's "only" AdWare (that pesters you with incessant pop-ups for all kinds of things..), but another time it very well could be something that steals your personal files, logs your keystrokes as you log into your bank, or secretly 'enlists' your computer in one of the 'BotNets' created and used by organized crime, and/or foreign governments.
Never be so anxious to hear or see something (especially on the Internet) that you leave your common sense behind and do something you might regret greatly.
And don't fool yourself into thinking it won't or can't happen to you. Why not? If you're careless, eventually you will get stung.
- The EULA.. you can't be in the habit of automatically clicking "I agree" (or whatever it says). Use a free program like "EULAlyzer" from Javacool Software and have it analyze the EULA, and actually READ the thing (at least the parts highlighted by EULAlyzer). This one is deceptive, but it does tell you that things like Adware "FBrowsingAdvisor" and "SurfingEnhancer" will be installed. It also mentions; (3) The Licensed Materials you install will also include/be bundled with the following 3rd Party software products:[...]. All those things scream 'STAY AWAY' to me!
Take my advice. Learn the risks, be smart, and be wary of the dangers. Just like an automobile or a firearm, your computer is not a toy to be treated irresponsibly. Take care of it and use it responsibly. Do that, and you can have all the fun you want at the same time!
Until next time.. And always remember to THINK before you click!
~If you're wondering what "PUP" stands for, it means Potentially Unwanted Program.~
