Sunbeltblog comments
Just out of intest Patrick Jordan when I download the Codec what actaully happens? Some fake toolbar or some rouge anti virus pops up?
When you install a code which is actually a trojan download installer, It will change your home page to one of the current security scam site used like iupdate.com. It produces unwanted popup to sell rough security software or open to porn content type pages like adultfriendfinders.com.
The codecs also install one of the Anti-spyware rogues currently spywarequake and virusburst. They give false positives along with alert bubbles to scare users into buying their software which they own the online billing sites used so you would be giving your credit card number to the same people who infected you.
Patrick Jordan
Senior Malware Resaearch
Just wanted to add to that description that Codecs can also be installed directly from a porn site when watching a video.
For example the video file will open but there will be no picture, just the sound. It's like a tease... you can hear it but can't see it unless you download the magic codec.
Then, it's en route to pop ups land.
Jerome: and of course, the 'codec' isn't a codec - at most you get an ActiveX control that sites can use to sniff whether the machine is infected or not.
Note that some versions of the "codec" display an end-user licence agreement. However, before you agree (or disagree) to the terms, the trojan parts of the payload are already installing behind your back.
Another way of getting the trojans is by browsing porn sites run by the same VCodec group and other affiliates, which redirect to browser security hole exploits that install the stuff silently and automatically.
PS. Another one: imcodec.com. Esthost must be making a lot of money registering all those domains for these jokers...
"PS. Another one: imcodec.com. Esthost must be making a lot of money registering all those domains for these jokers.."
My thoughts exactly. Esthost/InterCage are hosting the sites, and their sister company Estdomains is the domain registrar. It's quite the racket if you ask me. /rolls eyes
http://whois.domaintools.com/med...om/
medcodec.com
Search Results for 69.50.188.108 [reverse DNS - 69-50-188-108.esthost.com]
imcodec.com
medcodec.com
powercodec.com
Here's some more:
clusif.free.fr
strcodec.be.cx
videosaccess.net
videoscodec.com
mscodec.com
I found thes site with gromozon trojans exploits:
http://11.altraparte.com/sfondos...stemaoperativi/
http://2.ancormimise.org/pacmaniagioco/
Please close these site. Thanks
Just add these sites directly into your host file like I did.
These are not the only type of sites. There are also the Mega-codec installers that install tons of codecs on your computer - there are two of them that are nothing but virus/trojan installers. Also the "free screensavers", the "free smiley faces" and "free java games" are also all virus/trojan installers as well.
And finally - Microsoft themselves distributes a virus with Windows as part of SAPI 5.0 - one of the executables is a trojan, and the other is an email mailer worm.
I wish I still had the names of those mega codec packs that had the viruses in them, but I deleted them after reporting them to Sunbelt.
Commenting by HaloScan
