Jahewi's Anti-Malware Information
Back to Index
VirusBurst-infection thru PCodec 6.0 and the connection with Gromozon.com
(Sorry for the Dutch screen .... couldn't be helped ;-)


It starts, like always, with wanting to watch a movie-shot.
Your asked, in this case, to download and install a new Codec, wich is compressed in the file intcodec-v6.399.exe
You need to accept the EULA, offcourse ...
... after wich the 'Codec', PCODEC 6.0, is being installed.

Instead of a codec, a bunch of malware-packages is being installed:
        VirusBurst 6.1
        Internet Explorer Security Plugin 2006
        PCODEC 6.0
        Safety Alerter 2006
        Public Messenger ver 2.03
        Internet Security Add-On

In the list of installed software, the following items will be added:
        Internet Explorer Security Plugin 2006
        Internet Security Add-On
        PCODEC 6.0
        Public Messenger ver 2.3
        Safety Alerter 2006
        VirusBurst 6.1

On the desktop, there are 3 new shortcuts:
        Online Security Guide
        Security TroubleShooting
        VirusBurst

In the taskbar, there are 3 new icons:
        VirusBurst en 2 fake malware-warnings.



The internet Explorer Startpage is Hijacked to (in my case) wwwDOT404dnserrorDOTcom, wich generates a "can not be displayed"-error

At the top is a fake IE message-bar wich (when clicked) shows a IE-warning, wich (when clicked) sends you to an ErrorSafe-download-page.
Download will start automaticly!

There is 1 link added to the favorites:
Online Security Test (wwwDOTtestonlinesecurityDOTcom/phptest/)

Details of the installed malware
Part of Internet Explorer Security Plugin 2006 (0.04 Mb)
Gromozon is placed in the Trusted zone! (see below)

UPDATE SEPT 7: I have been corrected by LineOFire.
The registry-entries show that Gromozon and ZCodec are NOT added to the TRUSTED ZONE but to the RESTRICTED ZONE!
This could mean that they are blocked, but somehow i think there is more to it ...
Anyway, somehow i overlooked this.
My thanks to LineOFire for bringing it to my attention!
HijackThis and special remarks
Logfile of HijackThis v1.99.1
Scan saved at 21:32:16, on 4-9-2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Robot Genius\Spyberus\RgView.exe
C:\Program Files\TechSmith\SnagIt 7\SnagIt32.exe
C:\Program Files\TechSmith\SnagIt 7\TSCHelp.exe
C:\Documents and Settings\jahewi\Bureaublad\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 7\SnagItBHO.dll
O2 - BHO: Robot Genius - {1FD7EA94-0650-4CF5-ACFF-CDB36A6E924F} - C:\Program Files\Robot Genius\Spyberus\RgWinId.dll
O2 - BHO: (no name) - {202a961f-23ae-42b1-9505-ffe3c818d717} - C:\Program Files\PCODEC\isaddon.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll
O3 - Toolbar: Protection Bar - {fe2d25c1-c1db-4b5e-9390-af1cb5302f32} - C:\Program Files\PCODEC\iesplugin.dll
O4 - HKLM\..\Run: [RGLauncher] C:\Program Files\Robot Genius\Spyberus\Spyberus.exe /S
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [VirusBurst] C:\Program Files\VirusBurst\VirusBurst.exe /h
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: SnagIt 7.lnk = C:\Program Files\TechSmith\SnagIt 7\SnagIt32.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O20 - AppInit_DLLs: C:\PROGRA~1\ROBOTG~1\Spyberus\RGIEMon.dll
O20 - Winlogon Notify: yvbb01 - C:\WINDOWS\SYSTEM32\yvbb01.dll
O20 - Winlogon Notify: yvpp01 - C:\WINDOWS\SYSTEM32\yvpp01.dll
O21 - SSODL: grindelwald - {4eb548e5-1fb1-4f83-b49f-a3101fe5fc97} - C:\WINDOWS\System32\xtgwjrm.dll
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
Registry-peek of Zonemap-entries
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
@=""
"ProxyByPass"=dword:00000001
"IntranetName"=dword:00000001
"UNCAsIntranet"=dword:00000001
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
@=""
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\gromozon.com]
"http"=dword:00000004
"https"=dword:00000004
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\zcodec.com]
"http"=dword:00000004
"https"=dword:00000004
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\gromozon.com]
"http"=dword:00000004
"https"=dword:00000004
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\zcodec.com]
"http"=dword:00000004
"https"=dword:00000004
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults]
@=""
"http"=dword:00000003
"https"=dword:00000003
"ftp"=dword:00000003
"file"=dword:00000003
"@ivt"=dword:00000001
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]
@=""
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range0]
"*"=dword:00000004
":Range"="194.187.*.*"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range1]
"*"=dword:00000004
":Range"="195.95.*.*"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range10]
"*"=dword:00000004
":Range"="70.84.*.*"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range11]
"*"=dword:00000004
":Range"="81.9.3.*"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range12]
"*"=dword:00000004
":Range"="81.95.*.*"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range13]
"*"=dword:00000004
":Range"="82.179.*.*"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range14]
"*"=dword:00000004
":Range"="85.255.*.*"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range15]
"*"=dword:00000004
":Range"="216.195.*.*"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range2]
"*"=dword:00000004
":Range"="195.225.*.*"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range3]
"*"=dword:00000004
":Range"="205.177.*.*"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range4]
"*"=dword:00000004
":Range"="205.188.*.*"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range5]
"*"=dword:00000004
":Range"="216.239.*.*"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range6]
"*"=dword:00000004
":Range"="66.230.*.*"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range7]
"*"=dword:00000004
":Range"="66.235.*.*"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range8]
"*"=dword:00000004
":Range"="69.31.*.*"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range9]
"*"=dword:00000004
":Range"="69.50.*.*"
jahewi, sept. 4, 2006
Most of the screenshots are taken from Spyberus, so my Very Special Thanks to the people at RobotGenius for letting me use their new BETA-version of Spyberus!