As debunked by Kenneth Sörling (nevershaveyourduck@gmail.com)
September 2007
Every once in a while you may come across an AVI movie, which upon playing, seems only to be a few seconds long. This even though the size of the file indicates a feature-length film, maybe 700 megabytes or so.
And, instead of the movie you thought you were going to watch, you're greated with a sight such as this:
This media file can only be played
using 3wPlayer that is completely FREE
Please visit playon.play3w.com to download
In case you can't read the above, it is a simple message in red and white on an otherwise black background, which states that "This media file can only be played using 3wPlayer that is completely FREE. Please visit playon.play3w.com to download" or words to that effect.
The message also provides a website address where you can download this player, and informs you that it is completely free to install and use. Well, isn't that nice!
Now, let's assume that you are new to the internet file-sharing scheme, and have thus not yet aquired the cynicism to get suspicious. Let's assume you really want to watch this movie, because it's the hottest new flick and stars Johnny Depp, who us just dreamy. So you go ahead and download the 3wPlayer application from the aforementioned site.
Upon installation, you are informed that 3wPlayer is adware. Oh, so it wansn't free after all; you'll be paying by enduring ad popups from whoever sponsors 3wPlayer. Oh well. After all it's Johnny-fucking-Depp!!
You install it, start it, and then open that movie with it. What do you get? Well, sometimes, it's just what you thought it would be. But more often than not, it's a completely different movie altogether. Instead of a major Disney release, you could find youself watching a hardcore porno flick and scratching your head. Just be thankful your children aren't in the room while this happens.
So what is this? An elaborate prank? A practical joke perpetrated on file sharers?
Nope. It is something far more insidious. You have just been tricked into infesting your computer with spyware. The 3wPlayer installs the dreaded CIDHELP, which in turn downloads even more spyware.
In a nutshell, it is two movies baked together, back to back. The first is the short clip you've seen, displaying the screen above. The second one is further into the file, hidden and encoded.
This is another case where you are promised features which simply aren't there. They claim that a 3w-encoded file offers superior compression (using a new, advanced codec (compression algorithm)), but in effect it doesn't. Once decrypted, it turns out the hidden movie uses one of a common set of compression standards, such as DIVX or XVID. In other words, they are lying through their teeth.
Thankfully, the encryption they used is one of the most basic and easily cracked around. There is little to writing a short program which decodes the real movie out of this abysmal, treacherous joke.
There is nothing dangerous in the file per se, quite apart from the risk that it isn't actually the movie you wanted to see. The real risk is installing the player referred to above. Once you install that, and use it to play the file, you are in trouble. Not only have you installed spyware on your computer; once you use the player application, chances are good that you're being monitored. In fact, whatever you do henceforth may be tracked, logged and sent to some scumbag across the internet, without your knowing.
It isn't as easy as simply uninstalling 3wPlayer. The spyware still remains on your computer, and can be quite difficult to remove. Once you identify the offending programs and try to delete them, they pop back into existance. This is a case of a RootKit, a set of spyware programs which know how to hide and protect themselves from common antivirus programs, and which instantly respawn one another should either of them be deleted.
For lots more detail on how to rid yourself of the spyware, check the links at the end of this doc.
You don't actually have to install 3wPlayer to watch the movie. My UnZixWin utility is now equipped with the functionality to open these AVI files, locate and identify the real movie hidden inside, and let you extract it. The new file can be watched with any player, such as VLC, Media Player Classic, or Windows Media Player. The only thing is, it might not be the movie you were expecting to see.