CalamityJane
Premium,VIP,MVM
join:2002-08-27
Eustis, FL
edit:
October 27th, @10:16AM
|  Beware Fake Codecs - it could be a trojan
»Security Cleanup FAQ »Beware Fake Codecs - it could be a trojan
New FAQ posted in Security Cleanup because, frankly folks, I'm tired of cleaning up Zlob/smitfraud trojan infections.
We have got to get the word out that the fake codecs out there are epidemic and there are too many people falling for it.
Security Forums have been deluged with daily cries of help from victims of the "Smitfraud" desktop hijackers that are using fake codec to infect their prey.
Watch out for the Zlob Trojan that poses as a codec needed to view a video, then installs a fake virus and urges its victims to download a rogue anti-spyware program to remove it. It has been confirmed that this malware also takes advantage of unpatched systems using exploits on web pages. Visit Microsoft Update to ensure that you have ALL of the critical Windows security updates!
»update.microsoft.com/microsoftupdate/
Other victims have been infected by a fake e-card greeting, or even a spoofed e-mail that claims to be Windows Update (Microsoft never sends updates via e-mail). Still more unassuming victims received an e-mail asking them to open a link to see the message (these can be fake e-mails, intended only to infect), or even a link from your 'buddy' in instant messages - but don't trust it if you aren't expecting it. Even your buddy could be infected without his/her knowledge and the virus on their computer is sending you the link with one purpose, and one purpose only - to infect you!
A few of the fake codecs out there include:
Emcodec
eMedia Codec
HQ Codec
iCodecPack
iMediaCodec
IntCodec
KeyCodec
Media-Codec
MediaCodec
MMediaCodec
MPCODEC
PCODEC
PowerCodec
PornPass Manager
PornMag Pass
SoftCodec
strCodec
TrueCodec
Vccodec
VideoCompressionCodec
VideoKeyCodec
VideosCodec,
WinMediaCodec
X Password Generator
X Password Manager
ZipCodec
We urge you to be aware and watch out for fake codecs. This is one of the favorite methods used by the authors of malware to lure you into downloading a file that infects your computer. If you receive a link for a video that says you need a certain codec in order to view it, be careful! Today, it could be a fake codec that is actually a Trojan just waiting to infect your system.
What will you get with one of these infected fake codecs?
»Security Cleanup FAQ »Screenshots of Desktop Hijack
New variants are being released daily, even faster than Security Products companies receive new samples for detection. And because it does take time for due diligence on detection for the newer variants, it is important to remember that prevention is the key!
A screen shot of what one of the fake codecs can look like is here:
This isn't something new! bobince  recently posted an extensive list of domains known to distribute these fake codecs:
»Re: Beware of zCodec: it's malware
I'm really hoping that those of you reading this will get the word out and get some attention to the risks of blindly accepting "you need this codec to view the video".
If anyone you know has gotten this infection, please send them to this FAQ for cleanup:
»Security Cleanup FAQ »Zlob/Smitfraud Removal
I will be editing the list of most recent known codecs - this one is already out of date
Also - thanks to lilhurricane for assistance on inserting the screen shot where I want it 
--
It takes a disaster to make a woman out of a femaleMicrosoft MVP/Windows Security 2003-2007Proud Member of ASAP (Alliance of Security Analysis Professionals) |
|
lilhurricane
Crunchin' for CURES
Premium,Mod
join:2003-01-11
Purple Zone
clubs:  | Thank you Miss Janie, for the heads up... |
|
sashwa
Pixie Cat Crunches and Folds
Premium,Mod
join:2001-01-29
Alcatraz
clubs: | reply to CalamityJane
Thanks, Ms. CJ! |
|
fcukdat
join:2005-02-20 | reply to CalamityJane
Hi CJ
Keycodec made its debut on tuesday to join the growing list of known offending codecs:(
 |
|
CalamityJane
Premium,VIP,MVM
join:2002-08-27
Eustis, FL
edit:
October 26th, @09:32PM
| Thanks, another to add to the ever growing list.
The fact is, it could be {insertanyname}Codec. Don't expect your security software to be the first to stop it. Don't download the codec! Period. prevention is the KEY
These are coming out in droves and we've really got to get the word out for people to realize the dangers of these as they come in all form, sizes and shapes.
The lastest today that sent me on this crusade was a spammer posting in a security forum, just like this one and the link was to a malicious codec download 
--
It takes a disaster to make a woman out of a femaleMicrosoft MVP/Windows Security 2003-2007Proud Member of ASAP (Alliance of Security Analysis Professionals) |
|
CajunTek
Insane Cajun
Premium,MVM
join:2003-08-08
Arlington, TX
 ·RoadRunner Cable
| I have a simple answer on this PC... I don't download codecs.. I don't need 'em and I definitely have better things to do than cleaning up my own PC..
Thanks for the heads up though, I'll spread this into a forum or two that you don't support (as few as those are  )
Thanks again. You know we appreciate your hard work!!!!
--
da Cajun Darn I hate Malware |
|
CalamityJane
Premium,VIP,MVM
join:2002-08-27
Eustis, FL
| said by CajunTek :Thanks for the heads up though, I'll spread this into a forum or two that you don't support (as few as those are ) Thanks again. You know we appreciate your hard work!!!! I support any forum that can get the word out, and you GO guy! We appreciate your hard work, and I know you are sick of these too!
This reminds me...is it too gauche to bring up this topic again?
»[Humor, maybe] Top Ten Ways to Get Infected
Because it's true and not just humor anymore
--
It takes a disaster to make a woman out of a femaleMicrosoft MVP/Windows Security 2003-2007Proud Member of ASAP (Alliance of Security Analysis Professionals) |
|
anony101
@comcast.net
 from:
CalamityJane
| reply to CalamityJane
I submitted keycodec this morning and so far the response has been disappointing.
Complete scanning result of "keycodec-sample.zip", processed in VirusTotal at 10/27/2006 03:56:24 (CET).
[ file data ]
* name: keycodec-sample.zip
* size: 47371
* md5.: 066d1d836db9d6dc6d3b8c270d168b88
* sha1: 00792c99559c539c87001e848fa282d7182d52d6
[ scan result ]
AntiVir 7.2.0.32/20061026 found [TR/Zlob.65745.12]
Authentium 4.93.8/20061026 found nothing
Avast 4.7.892.0/20061026 found nothing
AVG 386/20061026 found [Downloader.Zlob.DA]
BitDefender 7.2/20061027 found [Trojan.Downloader.Zlob.ADG]
CAT-QuickHeal 8.00/20061026 found nothing
ClamAV devel-20060426/20061027 found nothing
DrWeb 4.33/20061026 found [Trojan.DownLoader.14370]
eTrust-InoculateIT 23.73.38/20061027 found nothing
eTrust-Vet 30.3.3158/20061026 found nothing
Ewido 4.0/20061026 found nothing
F-Prot 3.16f/20061026 found nothing
F-Prot4 4.2.1.29/20061026 found nothing
Fortinet 2.82.0.0/20061026 found [suspicious]
Ikarus 0.2.65.0/20061026 found nothing
Kaspersky 4.0.2.24/20061027 found [Trojan-Downloader.Win32.Zlob.asd]
McAfee 4882/20061026 found nothing
Microsoft 1.1609 /20061026 found nothing
NOD32v2 1.1838/20061026 found nothing
Norman 5.80.02/20061026 found nothing
Panda 9.0.0.4/20061027 found [Suspicious file]
Sophos 4.10.0/20061026 found nothing
TheHacker 6.0.1.106/20061026 found [W32/Bagle.gen.pwdzip5]
UNA 1.83/20061026 found nothing
VBA32 3.11.1/20061026 found nothing
VirusBuster 4.3.15:9/20061026 found nothing
[ notes ]
packers: UPX
packers: UPX, BINARYRES
packers: UPX |
|
CalamityJane
Premium,VIP,MVM
join:2002-08-27
Eustis, FL
| Proceed directly to step B here:
Submit Malware
Click on the link *Click here to submit the suspected malware file* in there to submit |
|
anony101
@comcast.net
from:
CalamityJane
| That's how I always submit + jotti and virustotal |
|
Cudni
La Merma - Los De Aca
Premium,MVM
join:2003-12-20
Someshire | The submit link above that CalamityJane gave you forwards it direct to various AV houses
Cudni |
|
CalamityJane
Premium,VIP,MVM
join:2002-08-27
Eustis, FL | reply to anony101
Thank you!
{{Hugs}}
Submitting is good! |
|
Name Game
Premium
join:2002-07-07
North Myrtle Beach, SC
| reply to anony101
said by anony101 :That's how I always submit + jotti and virustotal Windows Media Player is unable to play movie file. Please click here to download new version of codec. For further information visit keycodec.com.
Creation Date: 23-Oct-2006
»www.dnsstuff.com/tools/whois.ch?···odec.com
I think you have seen a player window come up like this screen shot.
»gladiator-antivirus.com/forum/in···ic=44778
Creation Date: 26-Sep-2006
»www.dnsstuff.com/tools/whois.ch?···odec.com
seem many sites are being registered to carry out these money making ventures.
--
Gladiator Security Forum »www.gladiator-antivirus.com/ Missing Kids »www.missingkids.com/ |
|
CalamityJane
Premium,VIP,MVM
join:2002-08-27
Eustis, FL
| said by Name Game :seem many sites are being registered to carry out these money making ventures. Too many!
Thanks for all you do, John, to get the word out |
|
Name Game
Premium
join:2002-07-07
North Myrtle Beach, SC
edit:
October 26th, @11:00PM
| reply to CalamityJane
Jahewi's site has some great screen shots and walk through on what happens to a PC when you fall for this codec trick out there now on so many sites.
Jahewi's Anti-Malware Information
General installation of Fake Codecs, or ... how to get screwed the easy way
»www.jahewi.nl/fake/fakecodecs.html
List of fake codecs
»www.jahewi.nl/lists/fakecodecs/f···ecs.html
--
Gladiator Security Forum »www.gladiator-antivirus.com/
Missing Kids
»www.missingkids.com/ |
|
CalamityJane
Premium,VIP,MVM
join:2002-08-27
Eustis, FL | Excellent! Thank you!
Pass it on people, this is good stuff...pass it on! |
|
angelique
Premium
join:2004-03-09
Alhambra, CA | reply to CalamityJane
Thanx for the info Calamity. As someone posted earlier prevention is best. I have encountered sites that request to install a codec and I decline. |
|
CalamityJane
Premium,VIP,MVM
join:2002-08-27
Eustis, FL
| said by angelique :Thanx for the info Calamity. As someone posted earlier prevention is best. I have encountered sites that request to install a codec and I decline. Good for you, angelique !
~pass it on!~
--
It takes a disaster to make a woman out of a femaleMicrosoft MVP/Windows Security 2003-2007Proud Member of ASAP (Alliance of Security Analysis Professionals) |
|
SpannerITWks
Premium
join:2005-04-22
| reply to CalamityJane
There's no " could be " about it, if it is a Fake Codec, then it's a trojan 4 sure !
The Zlobs appear to be as prevelent, or even more so lately, than the Gromozons. Another day, another bucket load of Crap hey.
Spanner
--
I Only Know What I Know, But I'm Learning all The Time - Stay Safe - Spanner intheWorks
/SpannerITWks |
|
BullroarerT
join:2003-10-08
Fountain Hills, AZ
 ·Blue Mountain Inte..
| reply to CalamityJane
Calamity, thanks for the good work.
I've passed on your message to some friends. Whether they listen or not, who knows.
Anyhow I ended my email with this:
It's hard to keep a computer clean these days. Remember the drug campaign message from the early 90's "Just Say No". Well, that advice still works today with your computer.
Just had to reformat a hard drive and reinstall windows on a friends infected laptop. Took me all day to determine how bad the infection was, and another day to reinstall Windows. Had I billed her, she could have bought a new laptop for the cost of my time.
Anyhow, I had the help of the security forums here in diagnosing the problem with the aforementioned laptop (wasn't a codec infection). Thank again! |
|
