Wondering how people get to these bogus security sites and download junk like SpyAxe?
Patrick Jordan and Adam Thomas on our spyware research team have been investigating Vcodec.com. This is a site that has a program called “VCodec v3.05b is new generation multimedia compressor/decompressor which registers into the Windows collection of multimedia drivers…”
This is bogus video utility. The file, VideoCodec3_05b, is a trojan which then starts the scam about “Your computer is infected!”.
I ran this through VirustTotal and here are the results (“No virus found” means the scanner did not detect the file as a trojan):
—————————————————————————————————
This is a report processed by VirusTotal on 12/14/2005 at 23:23:24 (CET) after scanning the file “VideoCodec3_05b.exe” file.
Antivirus | Version | Update | Result |
Kaspersky | 4.0.2.24 | 12.14.2005 | Trojan-Downloader.Win32.Zlob.cu |
NOD32v2 | 1.1322 | 12.14.2005 | probably a variant of Win32/TrojanDropper.Small.NCU |
CAT-QuickHeal | 8 | 12.13.2005 | (Suspicious) – DNAScan |
AntiVir | 6.33.0.61 | 12.14.2005 | no virus found |
Avast | 4.6.695.0 | 12.14.2005 | no virus found |
AVG | 718 | 12.14.2005 | no virus found |
Avira | 6.33.0.61 | 12.14.2005 | no virus found |
BitDefender | 7.2 | 12.14.2005 | no virus found |
ClamAV | devel-20051108 | 12.12.2005 | no virus found |
DrWeb | 4.33 | 12.14.2005 | no virus found |
eTrust-Iris | 7.1.194.0 | 12.14.2005 | no virus found |
eTrust-Vet | 12.3.3.0 | 12.14.2005 | no virus found |
Fortinet | 2.54.0.0 | 12.14.2005 | no virus found |
F-Prot | 3.16c | 12.13.2005 | no virus found |
Ikarus | 0.2.59.0 | 12.14.2005 | no virus found |
McAfee | 4650 | 12.14.2005 | no virus found |
Norman | 5.70.10 | 12.14.2005 | no virus found |
Panda | 8.02.00 | 12.14.2005 | no virus found |
Sophos | 4.00.0 | 12.14.2005 | no virus found |
Symantec | 8 | 12.14.2005 | no virus found |
TheHacker | 5.9.1.055 | 12.14.2005 | no virus found |
VBA32 | 3.10.5 | 12.14.2005 | no virus found |
—————————————————————————————————
So,only Kaspersky (no surprise), NOD32 and CAT-QuickHeal are catching it.
Put this one on your blocklist. Hopefully AV vendors will get signatures out very soon.
Alex