These are probably all repacked 'Zlob' trojan downloaders. They are replaced daily (in fact, twice a day) to evade detection, and in most cases they successfully evade detection by nearly all the AVs.

Some months ago in Italy there was a breakout of the "vcodecs"; these dropped spam trojans that "recommended" the installation to other people by sending "funny video you have to see" messages to users found in contact lists (very believable messages, as well, meaning they definitely had affiliates in Italy). If I remember correctly this is all garbage related to codeccash(dot)com
TNT | Homepage | 09.11.06 - 12:54 pm | #

It's true that they change the samples twice a day, but it is also true that they get a new domain nearly every week.

But it's not true that all AVs fail to detect these Zlob trojans. They all use a NSIS installer and most AVs should detect the DLL On-Access. But not the "packed" installer when someone just test it with On-Demand scanners on VirusTotal or Jotti.
Micha | 09.11.06 - 3:24 pm | #

Yes, many times (at least with KAV) the files are recognized on access when they are missed on file scan.
TNT | Homepage | 09.11.06 - 3:55 pm | #

Try 7Zip (>=4.42) to un-pack these NSIS installers. And than test the content inside the installer on VirusTotal. So at least some AVs don't support NSIS yet but most should detect the files inside the installer on access and that's not so bad at all.
Micha | 09.11.06 - 4:11 pm | #

Micha, I unpacked the latest Mediacodec trojan and sent the content to VirusTotal. Only Antivir, Avast, Sophos and Symantec identified it. Definitely not very good.
TNT | Homepage | 09.11.06 - 4:43 pm | #

Also, KAV does have NSIS unpacking capabilities, and if I remember correctly the identification of these trojans I've seen on access is done not through signature but through the proactive defense module.
TNT | Homepage | 09.11.06 - 4:58 pm | #

Hm, okay. Last time I tested it was definetly are more positive result. But how many scanners were able to detect the packed installer? But yes, it's a pitty. The bad guys could tweak their creations as long as no scanner would detect something and than release it in the wild. In this case it is a good practise to block access to these Zlob pages.

From my point of view, most of them are distributed by adult movie web sites.
Micha | 09.11.06 - 5:04 pm | #

Yeah, I believe the best practice is to completely block access to these sites.
Still, if you think about it, these clowns are just ruining the "codec" developers job. Many people I know (at least the ones who have heard of these fake trojan-codecs) don't even trust to download any video compressors anymore unless they are the well known xvid and divx.

It's just depressing, and as usual nobody's going after these criminals at all.
TNT | Homepage | 09.11.06 - 5:12 pm | #

I wish we would see more enforcement action against scumbags like these. I would love to see these fake codec idiots get nailed.
Guillermo | 09.12.06 - 11:34 am | #

Part of the problem here is that even when they get prosecuted the penalty is some of their time in court and then a fine that sounds pretty hefty. Is the fine relative to the profits they've made out of the misery suffered by infected victims?
RichieB | 09.13.06 - 6:33 am | #