Wondering how people get to these bogus security sites and download junk like SpyAxe?
Patrick Jordan and Adam Thomas on our spyware research team have been investigating Vcodec.com. This is a site that has a program called “VCodec v3.05b is new generation multimedia compressor/decompressor which registers into the Windows collection of multimedia drivers…”
This is bogus video utility. The file, VideoCodec3_05b, is a trojan which then starts the scam about “Your computer is infected!”.
I ran this through VirustTotal and here are the results (“No virus found” means the scanner did not detect the file as a trojan):
—————————————————————————————————
This is a report processed by VirusTotal on 12/14/2005 at 23:23:24 (CET) after scanning the file “VideoCodec3_05b.exe” file.
| Antivirus | Version | Update | Result |
| Kaspersky | 4.0.2.24 | 12.14.2005 | Trojan-Downloader.Win32.Zlob.cu |
| NOD32v2 | 1.1322 | 12.14.2005 | probably a variant of Win32/TrojanDropper.Small.NCU |
| CAT-QuickHeal | 8 | 12.13.2005 | (Suspicious) – DNAScan |
| AntiVir | 6.33.0.61 | 12.14.2005 | no virus found |
| Avast | 4.6.695.0 | 12.14.2005 | no virus found |
| AVG | 718 | 12.14.2005 | no virus found |
| Avira | 6.33.0.61 | 12.14.2005 | no virus found |
| BitDefender | 7.2 | 12.14.2005 | no virus found |
| ClamAV | devel-20051108 | 12.12.2005 | no virus found |
| DrWeb | 4.33 | 12.14.2005 | no virus found |
| eTrust-Iris | 7.1.194.0 | 12.14.2005 | no virus found |
| eTrust-Vet | 12.3.3.0 | 12.14.2005 | no virus found |
| Fortinet | 2.54.0.0 | 12.14.2005 | no virus found |
| F-Prot | 3.16c | 12.13.2005 | no virus found |
| Ikarus | 0.2.59.0 | 12.14.2005 | no virus found |
| McAfee | 4650 | 12.14.2005 | no virus found |
| Norman | 5.70.10 | 12.14.2005 | no virus found |
| Panda | 8.02.00 | 12.14.2005 | no virus found |
| Sophos | 4.00.0 | 12.14.2005 | no virus found |
| Symantec | 8 | 12.14.2005 | no virus found |
| TheHacker | 5.9.1.055 | 12.14.2005 | no virus found |
| VBA32 | 3.10.5 | 12.14.2005 | no virus found |
—————————————————————————————————
So,only Kaspersky (no surprise), NOD32 and CAT-QuickHeal are catching it.
Put this one on your blocklist. Hopefully AV vendors will get signatures out very soon.
Alex