Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Beware of zCodec: it's malware

0 views
Skip to first unread message

Jeff

unread,
Sep 4, 2006, 8:46:33 PM9/4/06
to
There's a new video codec being offered that
claims to offer up to 40% better compression,
but in fact is adware which can download and
install files, changes your DNS configuration,
and monitors adult websites. Downloaded files
can include the Trojan Ruins.MB, which
conceals itself using rootkit techniques.

http://www.techworld.com/security/news/index.cfm?newsID=6781

David H. Lipman

unread,
Sep 4, 2006, 9:27:19 PM9/4/06
to
From: "Jeff" <jv00...@sneakemail.com>

It is produced by the SAME 'codec' guys who are creating the ZLob Trojan installers that are
disguised as Video Codecs.

The files that come from them are named such as...
dvdcodec1000.exe
ZCodec1000.exe

The ZLob installers will have names like...
sv-codec-v4_01a.exe
mediacodec-4.207.exe
intcodec-v6.535.exe
intcodec-v6.107.exe

The numbers in the above will vary be will be the same. Today intcodec-v6.535.exe and
intcodec-v6.107.exe will have the same MD5 checksum and will install a new ZLob variant but
Tomorrow, they will habve a new MD5 checsum and install a new ZLob variant.

Kaspersky calls the the one that are DNS Changers "Trojan.Win32.DNSChanger"
New variants are being created on a regular basis just like the ZLob Trojans.

I will also note that the files dvdcodec1000.exe and ZCodec1000.exe can change between a
ZLob installer and a DNS Changer.

The last time I tested "ZCodec1000.exe" I got Trojan.Win32.DNSChanger.xx where .xx was the
variant which I didn't keep a record of.

This is Tonite's test...

---[ www.virustotal.com ]---------------------------

Complete scanning result of "ZCodec1000.exe", received in VirusTotal at 09.05.2006, 03:17:37
(CET).

Antivirus Version Update Result
AntiVir 7.1.1.11 09.04.2006 TR/Drop.Zlob.acn
Authentium 4.93.8 09.03.2006 no virus found
Avast 4.7.844.0 09.04.2006 no virus found
AVG 386 09.04.2006 Downloader.Zlob.DEZ
BitDefender 7.2 09.05.2006 Trojan.Downloader.Zlob.ZCO
CAT-QuickHeal 8.00 09.04.2006 no virus found
ClamAV devel-20060426 09.05.2006 no virus found
DrWeb 4.33 09.04.2006 no virus found
eTrust-InoculateIT 23.72.115 09.04.2006 no virus found
eTrust-Vet 30.3.3061 09.04.2006 no virus found
Ewido 4.0 09.04.2006 no virus found
Fortinet 2.77.0.0 09.04.2006 no virus found
F-Prot 3.16f 09.04.2006 no virus found
F-Prot4 4.2.1.29 09.04.2006 no virus found
Ikarus 0.2.65.0 09.04.2006 no virus found
Kaspersky 4.0.2.24 09.05.2006 no virus found
McAfee 4844 09.04.2006 no virus found
Microsoft 1.1560 09.03.2006 no virus found
NOD32v2 1.1739 09.04.2006 a variant of Win32/TrojanDownloader.Zlob
Norman 5.90.23 09.04.2006 no virus found
Panda 9.0.0.4 09.04.2006 no virus found
Sophos 4.09.0 09.05.2006 no virus found
Symantec 8.0 09.04.2006 no virus found
TheHacker 5.9.8.204 09.04.2006 no virus found
UNA 1.83 09.05.2006 no virus found
VBA32 3.11.1 09.04.2006 no virus found
VirusBuster 4.3.7:9 09.03.2006 no virus found


Aditional Information
File size: 97321 bytes
MD5: 0e26f1e751d94be278887760f79a1f53
SHA1: b97d2a39b940eb6457637e20e6d5d454a335943f


--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm


Message has been deleted

siljaline

unread,
Sep 4, 2006, 11:24:52 PM9/4/06
to
http://www.lavasoft.com/lavasoftnews/2006/09/hijacks.html
<paste>
Emcodec
nvidcodec
emediacodec
svideocodec
imediacodec
v-codec
media-codec
vidscodec
mediacodec
zipcodec
Newvidscodec
intcodec
</paste>

Silj

--
siljaline

--
Posted via a free Usenet account from http://www.teranews.com

Jeff

unread,
Sep 6, 2006, 7:13:15 PM9/6/06
to

There is one thing that URLs associated with these codecs
have in common: they are part of the CWS.VCodec group.
The sites are known for employing browser exploits, and the
latest domain to watch out for (or put in your hosts file) is
dvdcodec.net.

David H. Lipman

unread,
Sep 6, 2006, 8:17:33 PM9/6/06
to
From: "Jeff" <jv00...@sneakemail.com>

|
| There is one thing that URLs associated with these codecs
| have in common: they are part of the CWS.VCodec group.
| The sites are known for employing browser exploits, and the
| latest domain to watch out for (or put in your hosts file) is
| dvdcodec.net.

It won't last long. I have a list of active and defunct Domains. In a few weeks or so that
site will be shutdown and another will take its place.

Additionlly,I haven't seen them use exploitation just Social Engineering.

siljaline

unread,
Sep 6, 2006, 8:55:01 PM9/6/06
to
"Jeff" wrote:

> There is one thing that URLs associated with these codecs
> have in common: they are part of the CWS.VCodec group.
> The sites are known for employing browser exploits, and the
> latest domain to watch out for (or put in your hosts file) is
> dvdcodec.net.

It may not be necessary to add that URL to your HOSTS file
since the site may be down or not exist within a short while.

Subscribe to the MVPS HOSTS file update notifications (your option)
http://www.mvps.org/winhelp2002/hosts.htm

0 new messages