Friday, November 07, 2008


Moon-Player is one of the latest fake video codec/player by Zlob/DNSChaner gang! Moon-Player installer is dropped by the standard Zlob fake codec infection technique. An example of a dropper-website and installer is shown here:

Moon-Player installer is hosted at ( (whois info). This particular Zlob variant is highly dangerous as it drops rootkit based spyware and also adds malicious DNS servers. Following HijackThis entry shows the rogue name servers added to the "NameServer" list of the system:

O17 - HKLM\System\CCS\Services\Tcpip\..\{27C05F16-264E-4B56-9C02-90A5B7D0A17D}: NameServer =;

These name servers are located at Ukraine and whois information can be found here and here.

The rootkit component is a user mode rootkit that hides files by hooking APIs of ntdll.dll. Following screenshots show rooted file and hooked APIs:

The rootkit also injects a DLL into few of the standard Windows processes (alg.exe and spoolsv.exe), as shown in below screenshot.

The injected DLL C:\Windows\System32\Dll.dll actually does not exist, and the file that is really injected is C:\Windows\Temp\tempX.tmp (where X is some random number). This can be seen from the DLL information shown by IceSword. It seems that the injected file changes its name in the module list maintained in process PEB, to a dummy/non-existent one.

VirusTotal scan result of the installer can be found here. An automated analysis of the installer can be found at this ThreatExpert page.

Update: A Zlob (Moon-Player and other fake video players)  rootkit removal tutorial has been posted here.


Blogger Kate said...

thank you, most detailed advice.

12:41 PM  
Anonymous Anonymous said...

If one of these files was saved instead of being run initially, is it dangerous if it has not been executed...?

3:36 PM  
Blogger swatkat said...

There is no threat if the file (installer/dropper) is not executed. It installs malware only if it is executed.

9:01 PM  
Anonymous NPT said...

Excellent explanation, i already have contact with this fake codec.

Bookmarking your blog, very usefull.

5:44 AM  
Blogger swatkat said...

Hi npt,

Thanks for visiting the blog. If your PC is infected, you can run an online scan at F-Secure website:

7:55 AM  
Anonymous Anonymous said...

Thanks for jumping on this one so quickly haven't heard anyone even commenting on it in the torrent comments section. Cheers!

1:00 PM  
Anonymous Anonymous said...

thanks almost down loaded that

7:14 AM  
Anonymous Anonymous said...

HI, this site is brilliant, I have somehow got infected with the moon-player codec, but tried the f-secure online scanner but isnt working for some reason, have you any other ideas what to use? Thanks

3:10 PM  
Anonymous Anonymous said...

What you can do to try to prevent accidentally downloading a fake codec like that, is you can download one of the videos from the torrent downloader site itself (IE Azureus, vuze), such as a music video and if it plays without needing an update or codec then nothing else should need one either. I almost fell for that one too. DO NOT DOWNLOAD MOON!

1:53 AM  
Anonymous Mike said...

I made the mistake of installing Moon_Player_Codec3372 file. Results in system freeze and then BSOD after loging in to windows XP in normal mode. Can only use safe mode. Have run an online scan at F-Secure website which claimed to locate and remove INI/DNSCHANGER.A c:\AUTORUN.INF however system still dies with blue screen. I have also scanned with NOD32 and I am running Microsoft Windows Malicious Software Removal Tool full scan at the moment - no virus found yet.
Any suggestions?

10:40 AM  
Blogger swatkat said...

Hi Mike,

I have posted a Zlob rootkit removal procedure here:

Please refer to that. Hope that helps!

12:09 AM  
Anonymous Mike said...

Hi Swatkat,

Thanks you so much for your help. I have just managed to log in to normal mode in windows for the first time in several days. Was on the verge of a full reinstall and I am so pleased to not have to do that. Cheers

6:11 AM  
Blogger Term Papers said...

I'm very thankful to the author for posting such an amazing development post. Continuing to the post. Thanks.

4:52 PM  
Anonymous College Term Papers said...

I'm very thankful to the author for posting such an amazing development post. Continuing to the post. Thanks.

4:53 PM  

Post a Comment

<< Home