Jahewi's
Anti-Malware Information
General
installation of Fake Codecs, or ... how to get
screwed the easy way
Generally, the problems start like this.
You find a movie-clip wich you want to see ... however, upon opening
the clip, it is not shown. Instead, you get a message that WMP can't
find the right codec and you have to download and install it, before
you can watch the movie
(needless to say, that the hole message, including the WMP-image is as
fake as the codec itself)
Another sure way to get
infected, is downloading the fake codec from it's home-site.
Obviously, wathever site you would look at, wichever fake codec you
come across (and the change you do, sooner or later, is not imaginary),
they are all 'the best' at what they claim to do ...
I'm sure they all do their best at something ... but it's not showing a
movie, at wich they are great.
Here are some examples of home-sites of fake codecs.
As i already blogged here
(English) and here (Dutch), these fake codecs work on our natural
curiousity.
Untill now, i didn't came across a fake codec, that downloaded itself.
Instead, they wait, like a spider in it's web, for those of us wich are
really compelled to see that movie (or are just ignorant enough to
download a codec from it's home-site ...).
They often even try to justify the garbage, they install on the
infected computer.
Okay ... back to the
events on hand, if you would decide to take your changes and install
the fake codec.
In case you download the file from the home-page of the fake codec, it
will just be downloaded.
You will have to start the installation yourself ...
However, if you install the codec from a fake Windows
MediaPlayer-direction, the installation will start immidiately!
When the installation is started, the EULA will be shown
The image on the right
tells it's tale ... both Spyberus and Ewido (wich, in my case, are
installed sometimes to watch the secret installation of the trojans and
other malware) will show security-warnings. In some cases there were
even 3 alerts.
So, it's save to say that, as soon as you click "Install", there is no
way back.
The
first thing most fake codecs do, is infect your computer with it's load
of trojans!
After the
installation of the fake codec is finished, the changes in Windows are
quite obvious ...
The computer has a brand new virusscanner, wich will start scanning
immidiately; Often even before the installation of the fake codec has
been completed!
Because the
malware-scanner (in this case VirusBurst) is as fake as the codec
itself, it will find numerous malware-items ... some are thru, some are
fake. You can be sure, however, that most (if not all, like in image
above) of the trojans it finds and are really on your computer,
are dropped by the fake codec.
Another obvious change the homepage of your Internet Explorer ... it
will point to another site then you're use to.
At this moment, theuptodatesafety.com is most populair.
... and then, just when
you start to think that you're not to badly scewed, the popups start to
show up ........ all the time .....
By now, you just know
that you're screwed ... and your computer is infected ... the bad way!
jahewi, sept. 27, 2006
