Well, it isn't.

It's (surprise surprise) a fake Fake Codec-site from KLIK MEDIA GMBH.
        Registration service provided by: KLIK MEDIA GMBH
        Domain: VCODEC2007.COM
        Registrant: VCodec2007 (Alex White)
        Creation Date: 19-nov-2006
        Expiration Date: 19-nov-2007
        Domain servers: ns2.vcodec2007.com - ns1.vcodec2007.com
Are you as puzzled as i am? Then read on --- there's more!
After downloading the installation-file vcodec2007.exe, it show the installation-file with this icon

If we would be dealing with a 'real' Fake Codecs, the result of such a scan would be very different
(as an example, it's the results for MovieCodec)

If there wouldn't be any ZLob-trojans installed, then the goal of this fake codec wouldn't be installing a fake Anti-malware-scanner ... Right?

However, after installation, there are 2 new folders in the Program Files-folder:
        - VideoBox, wich only has 1 file called Uninstall.exe
        - WinAntSpyPro, wich has 3 files; mstss32.ini, mstss.exe and plugin.exe
The last folder, offcourse, looks a lot like the WinAntiSpywarePro-folder, wich is installed by the fake malware-scanner WinAntiSpyware Pro 2006.

Let's analyse those files:
The mstss32.ini-file contains some interesting stuff:
        [SETTINGS]
        curhour=-1
        homepage="http://theonlybookmark.com/in.cgi?20"
        firststart0=217328496
        firststart1=29834674
        [MESSAGE]
        text="Attention! System detected a potential hazard (TrojanSPM/LX) on your computer|that may infect executable
        files. Your private information and PC safety is at risk.|To get rid of unwanted spyware and keep your computer safe you
        need to update your current security software.|Click Yes to download official intrusion detection system (IDS software)"
        caption="Security Monitor: WARNING!"
        url="http://go.winantivirus.com/ODU3Ng==/2/3948/ax=0/ed=0/ex=0/ap=0/a=0/soft1/"
        key="\\SOFTWARE\\WinAntiSpyware 2006 Free"
        [C1]
        domain="http://mypornrealm.com"
        data="videocodecinstalled"
        [C2]
        domain="http://gsearchbox.com"
        data="videocodecinstalled"
        [C3]
        domain="http://humstergals.com"
        data="videocodecinstalled"
        [EXE1]
        path="updchk.exe"
        runtime="0"
        isrun=1
        [EXE3]
        path="plugin.exe"
        runtime="1"
        isrun=0

mstss.exe and plugin.exe are recognized as
Complete scanning result of "mstss.exe", received in VirusTotal at 01.22.2007, 00:34:22 (CET).

Antivirus Version Update Result
AntiVir 7.3.0.26 01.21.2007 TR/StartPage.amn
Authentium 4.93.8 01.21.2007 W32/Trojan.MIU
Avast 4.7.936.0 01.18.2007 no virus found
AVG 386 01.21.2007 Startpage.AQJ
BitDefender 7.2 01.21.2007 Trojan.StartPage.AMN
CAT-QuickHeal 9.00 01.20.2007 Trojan.StartPage.amn
ClamAV devel-20060426 01.21.2007 Trojan.Startpage-431
DrWeb 4.33 01.21.2007 Trojan.StartPage.1763
eSafe 7.0.14.0 01.21.2007 Win32.StartPage.amn
eTrust-InoculateIT 23.73.118 01.20.2007  no virus found
eTrust-Vet 30.3.3336 01.19.2007  no virus found
Ewido 4.0 01.21.2007 Hijacker.StartPage.amn
Fortinet 2.82.0.0 01.21.2007 W32/StartPage.AMN!tr
F-Prot 3.16f 01.21.2007 destructive program named W32/Trojan.MIU
F-Prot4 4.2.1.29 01.21.2007 W32/Trojan.MIU
Ikarus T3.1.0.27 01.09.2007 Trojan.Win32.StartPage.amn
Kaspersky 4.0.2.24 01.22.2007 Trojan.Win32.StartPage.amn
McAfee 4943 01.19.2007  no virus found
Microsoft 1.1904 01.21.2007  no virus found
NOD32v2 1995 01.21.2007  no virus found
Norman 5.80.02 01.21.2007 W32/Startpage.EAR
Panda 9.0.0.4 01.21.2007 Adware/StartPage.AYF
Prevx1 V2 01.22.2007 Trojan.AVICodec
Sophos 4.13.0 01.20.2007  no virus found
Sunbelt 2.2.907.0 01.12.2007 Trojan.Win32.StartPage.amn
TheHacker 6.0.3.153 01.21.2007 Trojan/StartPage.amn
UNA 1.83 01.19.2007 Trojan.Win32.StartPage.97A2
VBA32 3.11.2 01.20.2007 Trojan.Win32.StartPage.amn
VirusBuster 4.3.19:9 01.21.2007 no virus found


Aditional Information
File size: 6656 bytes
MD5: c3bf0df582ff79a82535f5c5ecd488c1
SHA1: b0b01f05133c1b2b23994ea645e99e907172f269
Prevx info: http://fileinfo.prevx.com/fileinfo.asp?PXC=5d4960425105

This looks very much like the fake alert of spySheriff, SpyFalcon and other "smitfraud" malware-scanner.

... and even Dns-services are being Hijacked, the following HijackThis-log shows:
Logfile of HijackThis v1.99.1
Scan saved at 19:17, on 07-01-22
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINXP\System32\smss.exe
C:\WINXP\system32\csrss.exe
C:\WINXP\system32\winlogon.exe
C:\WINXP\system32\services.exe
C:\WINXP\system32\lsass.exe
C:\WINXP\system32\svchost.exe
C:\WINXP\System32\svchost.exe
C:\WINXP\System32\svchost.exe
C:\WINXP\System32\svchost.exe
C:\WINXP\system32\spoolsv.exe
C:\WINXP\Explorer.EXE
C:\Program Files\WinAntSpyPro\mstss.exe
C:\WINXP\System32\ctfmon.exe
C:\winstall.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\jawwi\Bureaublad\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINXP\System32\msdxm.ocx
O4 - HKLM\..\Run: [mstss] C:\Program Files\WinAntSpyPro\mstss.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINXP\System32\ctfmon.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{B8A8B184-21B5-4486-99E5-E0D0857712FE}: NameServer = 85.255.113.115,85.255.112.12
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.113.115 85.255.112.12
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.113.115 85.255.112.12
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.113.115 85.255.112.12

The homepage and search-functions in Internet Explorer have been hijacked and now point to theonlybookmark.com, wich sends you to random malware-pages and, if you are "lucky", sends you on a rollercoaster-tour to the sites of WinAntiSpyware, ErrorSafe, DriveCleaner and more of those fakers.

And still there is even more to this story, but let's try to let all this sink in, for now ...

Who wants to put something like this on the net? Who can we hold responsible for this site -- Click Media? EstDomains?
I don't think so.
It all looks like a spitting image of an old "smitfraud"-infection ... it almost looks like a joke.
I don't think we've heard the last of this.


jahewi, jan. 21, 2007
(last change jan. 22, 2007)