Moon-Player
Moon-Player is one of the latest fake video codec/player by Zlob/DNSChaner gang! Moon-Player installer is dropped by the standard Zlob fake codec infection technique. An example of a dropper-website and installer is shown here:
Moon-Player installer is hosted at
http://moon-player.com (203.169.164.18) (whois info). This particular Zlob variant is highly dangerous as it drops rootkit based spyware and also adds malicious DNS servers. Following HijackThis entry shows the rogue name servers added to the "NameServer" list of the system:O17 - HKLM\System\CCS\Services\Tcpip\..\{27C05F16-264E-4B56-9C02-90A5B7D0A17D}: NameServer = 85.255.112.143;85.255.112.94These name servers are located at Ukraine and whois information can be found here and here.
The rootkit component is a user mode rootkit that hides files by hooking APIs of ntdll.dll. Following screenshots show rooted file and hooked APIs:
The rootkit also injects a DLL into few of the standard Windows processes (alg.exe and spoolsv.exe), as shown in below screenshot.
The injected DLL
C:\Windows\System32\Dll.dll actually does not exist, and the file that is really injected is C:\Windows\Temp\tempX.tmp (where X is some random number). This can be seen from the DLL information shown by IceSword. It seems that the injected file changes its name in the module list maintained in process PEB, to a dummy/non-existent one.
VirusTotal scan result of the installer can be found here. An automated analysis of the installer can be found at this ThreatExpert page.
Update: A Zlob (Moon-Player and other fake video players) rootkit removal tutorial has been posted here.
posted by swatkat at 10:46 PM
DiggIt! |
Del.icio.us |
Reddit
12 Comments:
thank you, most detailed advice.
If one of these files was saved instead of being run initially, is it dangerous if it has not been executed...?
Hi,
There is no threat if the file (installer/dropper) is not executed. It installs malware only if it is executed.
Excellent explanation, i already have contact with this fake codec.
Bookmarking your blog, very usefull.
Thanks.
Hi npt,
Thanks for visiting the blog. If your PC is infected, you can run an online scan at F-Secure website:
http://support.f-secure.com/enu/home/ols.shtml
Thanks for jumping on this one so quickly haven't heard anyone even commenting on it in the torrent comments section. Cheers!
thanks almost down loaded that
HI, this site is brilliant, I have somehow got infected with the moon-player codec, but tried the f-secure online scanner but isnt working for some reason, have you any other ideas what to use? Thanks
What you can do to try to prevent accidentally downloading a fake codec like that, is you can download one of the videos from the torrent downloader site itself (IE Azureus, vuze), such as a music video and if it plays without needing an update or codec then nothing else should need one either. I almost fell for that one too. DO NOT DOWNLOAD MOON!
Hi,
I made the mistake of installing Moon_Player_Codec3372 file. Results in system freeze and then BSOD after loging in to windows XP in normal mode. Can only use safe mode. Have run an online scan at F-Secure website which claimed to locate and remove INI/DNSCHANGER.A c:\AUTORUN.INF however system still dies with blue screen. I have also scanned with NOD32 and I am running Microsoft Windows Malicious Software Removal Tool full scan at the moment - no virus found yet.
Any suggestions?
Hi Mike,
I have posted a Zlob rootkit removal procedure here:
http://swatrant.blogspot.com/2008/12/zlob-fake-codec-rootkit-removal.html
Please refer to that. Hope that helps!
Hi Swatkat,
Thanks you so much for your help. I have just managed to log in to normal mode in windows for the first time in several days. Was on the verge of a full reinstall and I am so pleased to not have to do that. Cheers
Post a Comment
<< Home