Beware - Desktop Hijacks on the Rise Again

The Lavasoft Support Forums have been deluged with daily cries of help from victims of the "Smitfraud" desktop hijackers that are using fake codec to infect their prey.

Watch out for the Zlob Trojan that poses as a codec needed to view a video, then installs a fake virus and urges its victims to download a rogue anti-spyware program to remove it. Lavasoft has also confirmed that this malware takes advantage of unpatched systems using exploits on web pages. Visit Microsoft Update to ensure that ALL of your critical Windows security pages are updated.

Other victims have been infected by a fake e-card greeting, or even a spoofed e-mail that claims to be Windows Update (Microsoft never sends updates via e-mail). Still more unassuming victims received an e-mail asking them to open a link to see the message (these can be fake e-mails, intended only to infect), or even a link from your ‘buddy’ in instant messages - but don’t trust it if you aren’t expecting it. Even your buddy could be infected without his/her knowledge and the virus on their computer is sending you the link with one purpose, and one purpose only - to infect you!

A few of the fake codecs out there include:
Emcodec nvidcodec
emediacodec svideocodec
imediacodec v-codec
media-codec vidscodec
mediacodec zipcodec
Newvidscodec intcodec

We urge you to be aware and watch out for fake codecs. This is one of the favorite methods used by the authors of malware to lure you into downloading a file that infects your computer. If you receive a link for a video that says you need a certain codec in order to view it, be careful! Today, it could be a fake codec that is actually a Trojan just waiting to infect your system.

New variants are being released daily, even faster than Lavasoft receives new samples for detection. And because it does take time for due diligence on detection for the newer variants, it is important to remember that prevention is the key!

* Watch what you download.
* Be careful where you surf.
* Do not openly trust attachments or links in e-mail and instant messages. Even your network of friends could be unknowingly forwarding a virus.
* Be aware of "phishing", cleverly-crafted e-mails that look like they came from an official source like Microsoft, your bank, or some other official office. They often use links in their e-mails that lead to a third-party site (this is a choice avenue of infection).
* Stay FAR away from cracks and warez sites - you are sure to receive infected files there.
* More than half of p2p (shared) files are believed to be infected, so use a high level of caution when downloading shared files. The newest 'nasties' are easy to release through p2p files.</blockquote>

http://www.lavasoft.com/lavasoftnews/2006/09/hijacks.html

The Sunbelt blog is currently reporting on the fake codec sites that push the Zlob Trojan, with screenshots of the sites. Everyone should take a look so they know that these are dangerous scam sites.

Beware: the Zlob Trojan is morphed every few hours, so your AV program is unlikely to detect the Trojan. (Only Avira seems to have a successful generic detection.)

http://sunbeltblog.blogspot.com/

This article (previously posted by Tech) may prove interesting regarding virus obfuscation techniques:

http://www.virusbtn.com/virusbulletin/archive/2006/03/vb200603-packed

I assume Zlob is doing something like this.

EDIT:

Authentium, F-Prot and VirusBuster seem to have generic detection as well. Kaspersky usually detects them, but I’ve seen it miss one. NOD32 got this one but missed one I tried yesterday.

http://donaldbroatch.users.btopenworld.com/zlob.jpg


Frank,

Thanks for the “heads-up!” :slight_smile:


New fake codec sites are appearing regularly.

http://sunbeltblog.blogspot.com/2006/09/new-fake-codec-site-winmediacodec_22.html

Let’s be careful out there!