We have detected a new URL promoting various malicious “codec” binaries.
Update Here (7/30/08)
URL: hxxp://winxp-antivirus.com (Proceed at your own risk)
The first site we were redirected to prompted us to download wmcodec_upgrade.exe and upon running that the following files were created:
C:\WINDOWS\system32\RichVideoCodec.dll
C:\Program Files\RichVideoCodec\escan.exe
C:\Program Files\RichVideoCodec\InstallRegerLib.dll
C:\DOCUME~1\User\LOCALS~1\Temp\nsw8.tmp\System.dll
Source: SunBelt Sandbox
VirusTotal: Result: 6/35 (17.14%)
Upon reloading winxp-antivirus.com we were redirected over to porntubev20.com and prompted to download a codec to watch pornography clips.
The codec file for porntubev20.com pointed to hxxp://codechost.com/codecpack.v.1.0.89.exe
VirusTotal: Result: 11/35 (31.43%) (3 suspicious)
You may see a video of our encounter here: (Pornography omitted)
I feel that I should tell you the porn that was censored out was Not censored out on the very last frame, so when the video ends, and says ‘Replay,’ you see a great shot of NSFW material.
Also, what programs do you use for you screen capturing and editing?
Thank you for bringing it to my attention. I have replaced the video with a newer version that does not have the NSFW last frame.
I am using Camtasia Studio by TechSmith to capture and edit video.