Friday, March 21, 2008

Fake codec - AccessMedia

Here's one more fake codec, named AccessMedia. The dropper is named as AccessMediaSetup.exe and is hosted at www.softwaredestributiononlinecorp.com.



Detections are not very good as of now! VirusTotal scan result can be found here.

Thursday, March 13, 2008

One more fake Flash Player!

Here's one more fake Flash Player from Zlob gang, being used to push their new fake codec (another one can be seen here).

This time, the codec names are XXXMediaCodec and FlyVideoCodec, and are hosted at www.mynudenetwork.com and/or www.flyvideonetwork.com. These new samples are not very well detected as of now. Here's the VirusTotal scan report for these codecs:
AntiVir - DR/Delphi.Gen
F-Secure - Suspicious:W32/Malware!Gemini
Microsoft - Trojan:Win32/Tibs.gen!G
Panda - Suspicious file
Sophos - Mal/Behav-116
VBA32 - suspected of Downloader.Zlob.8
Webwasher-Gateway - Trojan.Dropper.Delphi.Gen

Wednesday, March 05, 2008

Zlob brings back fake MP3s!

Last August, I had blogged about Zlob gang using fake MP3 download sites to push their malware (link here). Afterwards, we started to see more and more fake video codecs and less of free MP3s. Well, now they are back! Some of the fake MP3 pushing domains are:
Mp3tube.info
Mp3sland.com
mp3files4free.com
gt-mp3portal.com


Here are some screenshots showing fake MP3 listings and download screens:







As of now, detections for the malware being pushed by these sites are very poor. Here’s a VirusTotal scan result for one of the downloaded files. This file had double extension to spoof an innocuous PC user.
File Sound.mp3.exe:
CAT-QuickHeal - (Suspicious) - DNAScan
eSafe - Suspicious File
F-Secure - Tibs.gen200
Norman - Tibs.gen200
Sunbelt - VIPRE.Suspicious


Please do NOT visit any of the sites mentioned above!!!!

Tuesday, March 04, 2008

Fake Macromedia Flash ActiveX Plugin

We have seen Zlob fake codecs using the now standard "Video ActiveX Object Error" message boxes to push their malware into PCs. Now, the gang behind Zlob has started (mis)using Macromedia Flash Player's name in their rogue sites. Here's one example, which says that you need to install Macromedia Flash ActiveX Video Component to watch certain videos:



If you follow the link and install what they are pushing, then you will end up infecting your system with a pretty nasty Zlob variant ;) Here's what VirusTotal scan says about the fake setup:
Avast - Win32:Agent-SWC
AVG - Downloader.Zlob.ABQ
eSafe - suspicious Trojan/Worm
F-Secure - Suspicious:W32/Malware!Gemini
Ikarus - Trojan.Zlob.2
Microsoft - TrojanDownloader:Win32/Zlob.gen!AV
NOD32v2 - Win32/TrojanDownloader.Zlob.BQU
Prevx1 - Generic.Malware
VBA32 - suspected of Downloader.Zlob.3


The installer is hosted at www.aviadaptation.com and some of the domains pushing this malware are:
codecpak.info
fakeporno.info
freepornoghraphy.info
myfreebestadult.com
pornohentais.info
pornomonkey.info
pornoromanesti.info
pornoshoes.info
pornoveryyoung.info
pornoyu.info
s14.quicksharing.com


By the way, do NOT visit any of these sites as they all are live malware pushers!

Saturday, March 01, 2008

WebVideoSetup and Multimedia Decoder

This is an interesting piece of malware! The Multimedia Decoder, as the name suggests, disguises itself as a video codec. The installer of this fake codec is named as WebVideoSetup.exe. Here's a screenshot of a webpage which drops WebVideoSetup:



When the installer is executed, it downloads a DLL and registers it as an Internet Explorer BHO (with GUID {7CF52009-F408-49AE-BBCB-6279CB53BB42}). This DLL is named as wmpdxm.dll and is dropped to %WINDIR% directory. This file should not be confused with the genuine wmpdxm.dll which is a Microsoft Windows Media Player extension and is located in %SYSDIR% directory.



The fake wmpdxm.dll is poorly detected and only 5 AVs at VirusTotal managed to detect this. Here's a report from VirusTotal scan:
F-Prot - W32/Banload.E.gen!Eldorado
Ikarus - Trojan-Downloader.Delf.OGX
Microsoft - Trojan:Win32/Delflob.I
Sophos - Mal/Emogen-N
Sunbelt - Trojan-PSW.Win32.Hooker.24.c (vf)


Detections for the installer WebVideoSetup.exe is comparatively better:
AntiVir - DR/Delphi.Gen
BitDefender - Trojan.Delf.OXW
DrWeb - Trojan.DownLoader.12890
eSafe - Suspicious File
eTrust-Vet - Win32/Burgspill!generic
F-Prot - W32/Heuristic-MU3!Eldorado
F-Secure - Suspicious:W32/Malware!Gemini
Ikarus - Trojan-Downloader.Codec.C
Microsoft - Trojan:Win32/Delflob.I
Panda - Suspicious file
Sophos - Mal/DelpDldr-E
Webwasher Gateway - Trojan.Dropper.Delphi.Gen


On a side note, the creators of this malware seem to hate Steven Spielberg for some unknown reason! However, they got his name wrong. Check out this screenshot to know more!

Ax Video Plugin

Ax Video Plugin is one of the latest fake codec/plugin in the block. The site http://axvideodownload.com/ uses the same old fake "Video ActiveX Object Error" messages to lure viewers to download their fake plugin installer named setup_axplugin.exe.



At the time of this writing, the Ax Video Plugin was sparsely detected at VirusTotal, and only 4 AVs managed to detect it. Here's a report from VirusTotal scan:
AntiVir - TR/Crypt.XDR.Gen
AVG - BackDoor.RBot.EA
Panda - Suspicious file
Webwasher Gateway - Trojan.Crypt.XDR.Gen


When setup_axplugin.exe is executed, it drops a bunch of malware files to %WINDIR% and creates few "Run" Registry keys to load these executables at system startup. These dropped files display fake security alerts, change Desktop wallpaper and try to download fake anti-spyware applications like SystemErrorFixer, SysCleaner and SpyBurner etc. This is how the Desktop looks after the infection!