Sunday, July 22, 2007

Fake Google Toolbar Installer

Just came across a poorly detected trojan, which creates a folder named Google in Program Files folder, and copies a file named Googletoolbar1.dll to that folder. This DLL is registered as a BHO in Internet Explorer. This Googletoolbar1.dll is actually a fake file, and is detected as W32/Horst.gen25 by few AVs. Trojan dropper is named as roin.exe and is detected by some AVs as Trojan-Dropper.Win32.Small.ayo or W32/Horst.gen25.dropper.

Files dropped by roin.exe are:

Following HijackThis log extract shows trojan's BHO and startup files:
O2 - BHO: Google Toolbar Helper - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\googletoolbar1.dll
O4 - HKLM\..\Run: [crtfmon] C:\WINDOWS\CTFRMON.EXE
O4 - HKCU\..\Run: [spoolw] C:\WINDOWS\system32\spoolw.exe
O4 - HKCU\..\Run: [igfxsvc] C:\WINDOWS\system32\igfxsvc.exe
O4 - Startup: imfe.exe

More information about this trojan can be found here.

More variants of Zlob fake codec

It seems Zlob group is changing/re-packing their fake code installers almost every 24 hours. New samples are found every day! After player-codec, host-codec, click-codec and virutalcodec, now they have released greatcodec. It is hosted at www(dot)greatcodec(dot)com.

Actually, we can see three forms of fake codec installers from Zlob:
VideoAxObject installer (these are named as Setup.exe)
Greatcodec (as of now)

All three installers keep changing frequently. AV vendors should better come up with some Generic or Heuristic detection for Zlob variants, instead of signature detection.

Information about new variants can be found here and here.

Friday, July 20, 2007

Click-Codec : One more Zlob fake codec

After Player-Codec and Host-Codec, Zlob group has "released" one more (fake)codec, named Click-Codec. The website is www(dot)click-codec(dot)com. More info about this malware can be found here.

Wednesday, July 18, 2007

PCPrivacyTool - Yet another rogue software

Here's a screenshot of rogue software PCPrivacyTool. Do NOT download/install this one :)

NewMediaCodecInstaller updated again!

We have one more NewMediaCodecInstaller with us! The installer and the dropped files are very poorly detected by AVs, as of now. Here are the files dropped by NewMediaCodecInstaller.exe:

Once the PC is infected, we get a steady stream of pop-ups, fake virus alerts etc. It tries to download rogue software like TrustedAntivirus, SecurePCCleaner, PCPrivacyTool etc.

More information about this malware can be obtained here.

Tuesday, July 17, 2007

Host-Codec - One more Zlob fake codec

We have one more fake codec by Zlob group, called host-codec. At this time, detections by AVs are poor for this codec installer. Once installed, it drops a file named a.exe to root-drive and drops one BHO named ipv6mons.dll to system32 directory. Along with this, it changes DNS addresses to these things:

Information about these DNSes can be found here and here. More information about this malware can be found here.

Sunday, July 15, 2007

Some new malware - a.exe, gop.exe etc

We have some "new" malware this time, ranging from trojans to rootkits. One of them is a trojan which detected by some of the AVs as Trojan.Shadu. The dropped file has is named as a.exe. More information about this can be obtained here.

And, another one is a trojan which drops a rootkit. The trojan dropper drops a file named Gop.exe which installs a rootkit. AntiVir detects Gop.exe as TR/Small.DBY.DB. The rootkit driver that's installed by Gop.exe is named as vdo_4e2b-928.sys (generally, it will be named as vdo_[random_numbers]-[random_numbers].sys) and belongs to Win32.Tibs family. More information about this can be obtained here.

Labels: , ,

NewMediaCodec and Ultimate Cleaner

The new, updated NewMedicaCodec does all things that the old one used to do. It hijacks Desktop background and IE start page, generates fake security alerts etc. Now, it tries to install another rogue software named Ultimate Cleaner. As of now, not all AVs detect this. Files dropped by NewMediaCodecInstaller.exe are:

UltimateCleaner can be removed either manually by following the instructions present at BleepingComputer or automatically by using Malwarebytes RogueRemover.

Labels: ,

Mozilla and Orkut-hating virus!

This time, we have a virus which hates Orkut and Mozilla Firefox! Mozban virus does not allow PC user to Firefox browser and to open Orkut website. This virus makes use of AutoHotKey to do this and also to replicate itself. Mozban spreads through secondary storage devices like USB drives, CDs etc.
Here are the screen shots of message boxes displayed by the virus when Orkut website is opened or Firefox is launched:

Svchost.exe is nothing but renamed AutoHotKey program! Mozban creates a folder named heap41a in the root drive, and files listed below:

And, the folder offspring contains:

Files std.txt, script1.txt and reproduce.txt contain AutoHotKey scripts, which are executed by svchost.exe (renamed AutoHotKey).

Here are the screen shots Jotti Malware Scan results of files - svchost.exe and MicrosoftPowerPoint.exe - dropped by the virus:

Labels: ,

Saturday, July 14, 2007

NewMediaCodec - Updated!?

NewMediaCodecInstaller.exe seems to be updated. This time also, most of the AV's does not detect this installer. NOD32, which detected the old NewMediaCodecInstaller, fails to detect this new one. Here's a screen shot of Malware Scanner showing the scan results of the file:

Scan results of old NewMediaCodec can be found here.


Saturday, July 07, 2007

NewMediaCodec, Privacy Protector and Udefender

This time, we have one more fake codec - NewMediaCodec, and a couple of rogue software - Privacy Protector and Udefender. Trouble starts as soon as this "codec" is installed! It hijacks Desktop background, Internet Explorer start page and places some URL shortcuts to fake security applications on Desktop. After the hijack, Desktop looks like this:

Periodically we get pop-ups, message boxes; system tray balloon tool tips about malware infection and urges the user to download some "recommended" anti-spyware applications:

When we click on empty area of Desktop (it's actually a webpage) or the URL shortcuts on Desktop, IE opens up dubious sites like Winantispyware(dot)com, Onlinestability(dot)com, Aboutyourprivacy(dot)com, Udefender(dot)com, Softwareferrel(dot)com etc and downloads fake anti-spyware applications. Some of the fake anti-spyware applications available for download are Privacy Protector and Udefender. The installers of both these rogue software are poorly detected by AVs. Following screenshots show Malware Scanner results of Udefender and Privacy Protector installers:

Here's a screenshot of Privacy Protector displaying its exaggerated scan results:

Below screenshot of HijackThis shows the entries added by "NewMediaCodec" malware (tick-marked entries):

As we can see from the above screenshot, two DLLs are loaded using the SSODL (ShellServiceObjectDelayLoad) method. Explorer.exe loads these DLLs when Windows starts.

AVG AntiSpyware was able to detect and remove most of the files related to NewMediaCodec. But, it did not detect SSODL DLLs, Desktop/IE hijack page and some other files dropped by the malware. HijackThis, in Windows Safe Mode, can be used to remove the Desktop/IE hijacks, SSODL DLLs. However, it's advised to run a complete system scan using an online AntiVirus, like TrendMicro HouseCall or Kaspersky WebScanner. If you are not too sure about entries to be removed in HijackThis, post the HijackThis log at any of PC security forums, like CastleCops.

Labels: , ,