New fake codec malware (May 15, 2009)

SonicWALL UTM Research team came across a new Fake codec malware drive-by site posing to contain nude Rihanna video.

The drive-by site was actively serving the malware at the time of posting this alert:

 www.scribd.com/(REMOVED)/Rihanna-nude | --> http://tumler(REMOVED)/2.html  |  --> http://xtube-host.com/(REMOVED)Mediacodec_v3.7   |   --> Mediacodec_v3.7.exe (1,984,538 bytes)   detected as GAV: FakeAlert.BDP (Trojan) 

The downloaded malware executable file looks like:

It performs the following activity on the victim machine:

• Creates multiple directories including (App Data)PCenter and (Program Files)PCenter.
• Drops multiple files including (Program Files)PCenteragent.exe and (Program Files)PCenterpc.exe.
• It adds registry keys to ensure that agent.exe and pc.exe starts every time on system reboot:
• HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunagent.exe = "(Program Files)PCenteragent.exe"
• HKEY_CURRENT_USERSoftwareMicrosoftWindows NTCurrentVersionWinlogonShell = "(Program Files)PCenterpc.exe"
• It creates following mutex objects to mark its presence on the system:
  • AMResourceMutex2
  • VideoRenderer
• It sends HTTP request to below URLs:
  • http://194.165.4.(REMOVED)/software_response.php?uid=1235
  • http://privacyupdate447.com/avail

The screenshots of the drive-by site and the Fake codec Trojan being downloaded are shown below.

Main site posing to host nude Rihanna video:

When user attempts to start the video, it opens a new page asking the user to download a certified ActiveX video codec (VAC codec) to protect content Copyrights. The page looks like below:

If the user clicks on the video frame again then it downloads the malware executable file as seen below:

The Trojan is also known as Win32/Adware.PrivacyComponents , Trojan.FakeAlert.BDP , and Cryp_FakeAV-12 .

SonicWALL Gateway AntiVirus provides protection against this malware via GAV: FakeAlert.BDP (Trojan) signature.