Saturday, May 03, 2008

Zlob fake codecs in Google Notebook

Few months ago, I had blogged about Zlob fake codecs being pushed through Google Groups. Now, one more Google service - Google Notebook - is being (mis)used by the Zlob gang. As the name itself indicates, Google Notebook is an online "notebook" where one can upload and share information like images, text and links to other websites.

A simple search, like the one shown in below screenshot, yields thousands of Notebook pages driving fake codecs and other malware:



And, here's one such page:



As usual, when we click on the video, we are redirected to a fake codec webpage:

posted by swatkat at 9:37 PM DiggIt! | Del.icio.us | Reddit | 0 comments

Wednesday, April 02, 2008

Storm worm's back...again!

After a short break, the Storm worm is seen in wild again. This time the gang behind the Storm botnet is using April Fools' Day themed mails as a bait to infect more PCs, in order to expand their botnet. Here's a screenshot of a webpage that is displayed when one clicks on the link given in mails:

posted by swatkat at 1:45 AM DiggIt! | Del.icio.us | Reddit | 0 comments

Friday, March 21, 2008

Fake codec - AccessMedia

Here's one more fake codec, named AccessMedia. The dropper is named as AccessMediaSetup.exe and is hosted at www.softwaredestributiononlinecorp.com.



Detections are not very good as of now! VirusTotal scan result can be found here.

posted by swatkat at 10:29 AM DiggIt! | Del.icio.us | Reddit | 0 comments

Thursday, March 13, 2008

One more fake Flash Player!

Here's one more fake Flash Player from Zlob gang, being used to push their new fake codec (another one can be seen here).

This time, the codec names are XXXMediaCodec and FlyVideoCodec, and are hosted at www.mynudenetwork.com and/or www.flyvideonetwork.com. These new samples are not very well detected as of now. Here's the VirusTotal scan report for these codecs:
AntiVir - DR/Delphi.Gen
F-Secure - Suspicious:W32/Malware!Gemini
Microsoft - Trojan:Win32/Tibs.gen!G
Panda - Suspicious file
Sophos - Mal/Behav-116
VBA32 - suspected of Downloader.Zlob.8
Webwasher-Gateway - Trojan.Dropper.Delphi.Gen

posted by swatkat at 1:34 AM DiggIt! | Del.icio.us | Reddit | 0 comments

Wednesday, March 05, 2008

Zlob brings back fake MP3s!

Last August, I had blogged about Zlob gang using fake MP3 download sites to push their malware (link here). Afterwards, we started to see more and more fake video codecs and less of free MP3s. Well, now they are back! Some of the fake MP3 pushing domains are:
Mp3tube.info
Mp3sland.com
mp3files4free.com
gt-mp3portal.com

Here are some screenshots showing fake MP3 listings and download screens:







As of now, detections for the malware being pushed by these sites are very poor. Here’s a VirusTotal scan result for one of the downloaded files. This file had double extension to spoof an innocuous PC user.
File Sound.mp3.exe:
CAT-QuickHeal - (Suspicious) - DNAScan
eSafe - Suspicious File
F-Secure - Tibs.gen200
Norman - Tibs.gen200
Sunbelt - VIPRE.Suspicious

Please do NOT visit any of the sites mentioned above!!!!

posted by swatkat at 12:24 AM DiggIt! | Del.icio.us | Reddit | 1 comments

Tuesday, March 04, 2008

Fake Macromedia Flash ActiveX Plugin

We have seen Zlob fake codecs using the now standard "Video ActiveX Object Error" message boxes to push their malware into PCs. Now, the gang behind Zlob has started (mis)using Macromedia Flash Player's name in their rogue sites. Here's one example, which says that you need to install Macromedia Flash ActiveX Video Component to watch certain videos:



If you follow the link and install what they are pushing, then you will end up infecting your system with a pretty nasty Zlob variant ;) Here's what VirusTotal scan says about the fake setup:
Avast - Win32:Agent-SWC
AVG - Downloader.Zlob.ABQ
eSafe - suspicious Trojan/Worm
F-Secure - Suspicious:W32/Malware!Gemini
Ikarus - Trojan.Zlob.2
Microsoft - TrojanDownloader:Win32/Zlob.gen!AV
NOD32v2 - Win32/TrojanDownloader.Zlob.BQU
Prevx1 - Generic.Malware
VBA32 - suspected of Downloader.Zlob.3

The installer is hosted at www.aviadaptation.com and some of the domains pushing this malware are:
codecpak.info
fakeporno.info
freepornoghraphy.info
myfreebestadult.com
pornohentais.info
pornomonkey.info
pornoromanesti.info
pornoshoes.info
pornoveryyoung.info
pornoyu.info
s14.quicksharing.com

By the way, do NOT visit any of these sites as they all are live malware pushers!

posted by swatkat at 11:59 PM DiggIt! | Del.icio.us | Reddit | 0 comments

Saturday, March 01, 2008

WebVideoSetup and Multimedia Decoder

This is an interesting piece of malware! The Multimedia Decoder, as the name suggests, disguises itself as a video codec. The installer of this fake codec is named as WebVideoSetup.exe. Here's a screenshot of a webpage which drops WebVideoSetup:



When the installer is executed, it downloads a DLL and registers it as an Internet Explorer BHO (with GUID {7CF52009-F408-49AE-BBCB-6279CB53BB42}). This DLL is named as wmpdxm.dll and is dropped to %WINDIR% directory. This file should not be confused with the genuine wmpdxm.dll which is a Microsoft Windows Media Player extension and is located in %SYSDIR% directory.



The fake wmpdxm.dll is poorly detected and only 5 AVs at VirusTotal managed to detect this. Here's a report from VirusTotal scan:
F-Prot - W32/Banload.E.gen!Eldorado
Ikarus - Trojan-Downloader.Delf.OGX
Microsoft - Trojan:Win32/Delflob.I
Sophos - Mal/Emogen-N
Sunbelt - Trojan-PSW.Win32.Hooker.24.c (vf)

Detections for the installer WebVideoSetup.exe is comparatively better:
AntiVir - DR/Delphi.Gen
BitDefender - Trojan.Delf.OXW
DrWeb - Trojan.DownLoader.12890
eSafe - Suspicious File
eTrust-Vet - Win32/Burgspill!generic
F-Prot - W32/Heuristic-MU3!Eldorado
F-Secure - Suspicious:W32/Malware!Gemini
Ikarus - Trojan-Downloader.Codec.C
Microsoft - Trojan:Win32/Delflob.I
Panda - Suspicious file
Sophos - Mal/DelpDldr-E
Webwasher Gateway - Trojan.Dropper.Delphi.Gen

On a side note, the creators of this malware seem to hate Steven Spielberg for some unknown reason! However, they got his name wrong. Check out this screenshot to know more!

posted by swatkat at 5:06 PM DiggIt! | Del.icio.us | Reddit | 0 comments

Ax Video Plugin

Ax Video Plugin is one of the latest fake codec/plugin in the block. The site http://axvideodownload.com/ uses the same old fake "Video ActiveX Object Error" messages to lure viewers to download their fake plugin installer named setup_axplugin.exe.



At the time of this writing, the Ax Video Plugin was sparsely detected at VirusTotal, and only 4 AVs managed to detect it. Here's a report from VirusTotal scan:
AntiVir - TR/Crypt.XDR.Gen
AVG - BackDoor.RBot.EA
Panda - Suspicious file
Webwasher Gateway - Trojan.Crypt.XDR.Gen

When setup_axplugin.exe is executed, it drops a bunch of malware files to %WINDIR% and creates few "Run" Registry keys to load these executables at system startup. These dropped files display fake security alerts, change Desktop wallpaper and try to download fake anti-spyware applications like SystemErrorFixer, SysCleaner and SpyBurner etc. This is how the Desktop looks after the infection!

posted by swatkat at 3:45 PM DiggIt! | Del.icio.us | Reddit | 2 comments