Beware of zCodec: it's malware

There's a new video codec being offered that
claims to offer up to 40% better compression,
but in fact is adware which can download and
install files, changes your DNS configuration,
and monitors adult websites. Downloaded files
can include the Trojan Ruins.MB, which
conceals itself using rootkit techniques.

http://www.techworld.com/security/ne...fm?newsID=6781

Jeff

From: "Jeff" <>

| There's a new video codec being offered that
| claims to offer up to 40% better compression,
| but in fact is adware which can download and
| install files, changes your DNS configuration,
| and monitors adult websites. Downloaded files
| can include the Trojan Ruins.MB, which
| conceals itself using rootkit techniques.
|
| http://www.techworld.com/security/ne...fm?newsID=6781

It is produced by the SAME 'codec' guys who are creating the ZLob Trojan installers that are
disguised as Video Codecs.

The files that come from them are named such as...
dvdcodec1000.exe
ZCodec1000.exe

The ZLob installers will have names like...
sv-codec-v4_01a.exe
mediacodec-4.207.exe
intcodec-v6.535.exe
intcodec-v6.107.exe

The numbers in the above will vary be will be the same. Today intcodec-v6.535.exe and
intcodec-v6.107.exe will have the same MD5 checksum and will install a new ZLob variant but
Tomorrow, they will habve a new MD5 checsum and install a new ZLob variant.

Kaspersky calls the the one that are DNS Changers "Trojan.Win32.DNSChanger"
New variants are being created on a regular basis just like the ZLob Trojans.

I will also note that the files dvdcodec1000.exe and ZCodec1000.exe can change between a
ZLob installer and a DNS Changer.

The last time I tested "ZCodec1000.exe" I got Trojan.Win32.DNSChanger.xx where .xx was the
variant which I didn't keep a record of.

This is Tonite's test...

---[ www.virustotal.com ]---------------------------

Complete scanning result of "ZCodec1000.exe", received in VirusTotal at 09.05.2006, 03:17:37
(CET).

Antivirus Version Update Result
AntiVir 7.1.1.11 09.04.2006 TR/Drop.Zlob.acn
Authentium 4.93.8 09.03.2006 no virus found
Avast 4.7.844.0 09.04.2006 no virus found
AVG 386 09.04.2006 Downloader.Zlob.DEZ
BitDefender 7.2 09.05.2006 Trojan.Downloader.Zlob.ZCO
CAT-QuickHeal 8.00 09.04.2006 no virus found
ClamAV devel-20060426 09.05.2006 no virus found
DrWeb 4.33 09.04.2006 no virus found
eTrust-InoculateIT 23.72.115 09.04.2006 no virus found
eTrust-Vet 30.3.3061 09.04.2006 no virus found
Ewido 4.0 09.04.2006 no virus found
Fortinet 2.77.0.0 09.04.2006 no virus found
F-Prot 3.16f 09.04.2006 no virus found
F-Prot4 4.2.1.29 09.04.2006 no virus found
Ikarus 0.2.65.0 09.04.2006 no virus found
Kaspersky 4.0.2.24 09.05.2006 no virus found
McAfee 4844 09.04.2006 no virus found
Microsoft 1.1560 09.03.2006 no virus found
NOD32v2 1.1739 09.04.2006 a variant of Win32/TrojanDownloader.Zlob
Norman 5.90.23 09.04.2006 no virus found
Panda 9.0.0.4 09.04.2006 no virus found
Sophos 4.09.0 09.05.2006 no virus found
Symantec 8.0 09.04.2006 no virus found
TheHacker 5.9.8.204 09.04.2006 no virus found
UNA 1.83 09.05.2006 no virus found
VBA32 3.11.1 09.04.2006 no virus found
VirusBuster 4.3.7:9 09.03.2006 no virus found


Aditional Information
File size: 97321 bytes
MD5: 0e26f1e751d94be278887760f79a1f53
SHA1: b97d2a39b940eb6457637e20e6d5d454a335943f




--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

David H. Lipman