General installation of Fake Codecs, or ... how to get screwed the easy way

Generally, the problems start like this.

You find a movie-clip which you want to see ... however, upon opening the clip, it is not shown. Instead, you get a message that WMP can't find the right codec and you have to download and install it, before you can watch the movie

(needless to say, that the hole message, including the WMP-image is as fake as the codec itself)

Another sure way to get infected, is downloading the fake codec from it's home-site.
Obviously, whatever site you would look at, wichever fake codec you come across (and the change you do, sooner or later, is not imaginary), they are all 'the best' at what they claim to do ...

I'm sure they all do their best at something ... but it's not showing a movie, at which they are great.

Here are some examples of home-sites of fake codecs.

As I already blogged here (English) and here (Dutch), these fake codecs work on our natural curiousity.

Until now, I didn't came across a fake codec, that downloaded itself.

Instead, they wait, like a spider in it's web, for those of us which are really compelled to see that movie (or are just ignorant enough to download a codec from it's home-site ...).

They often even try to justify the garbage, they install on the infected computer.

Okay ... back to the events on hand, if you would decide to take your changes and install the fake codec.

In case you download the file from the home-page of the fake codec, it will just be downloaded.

You will have to start the installation yourself ... 

However, if you install the codec from a fake Windows MediaPlayer-direction, the installation will start immidiately!

The image on the right tells it's tale ... both Spyberus and Ewido (which, in my case, are installed sometimes to watch the secret installation of the trojans and other malware) will show security-warnings. In some cases there were even 3 alerts.

So, it's safe to say that, as soon as you click "Install", there is no way back.

The first thing most fake codecs do, is infect your computer with it's load of trojans!

After the installation of the fake codec is finished, the changes in Windows are quite obvious ...

The computer has a brand new virusscanner, which will start scanning immediately; Often even before the installation of the fake codec has been completed!

Because the malware-scanner (in this case VirusBurst) is as fake as the codec itself, it will find numerous malware-items ... some are true, some are fake. You can be sure, however, that most (if not all, like in image above) of the trojans it finds and are really on your computer, are  dropped by the fake codec.

Another obvious change the homepage of your Internet Explorer ... it will point to another site then you're use to.

At this moment, theuptodatesafety.com is most populair.

... and then, just when you start to think that you're not to badly screwed, the popups start to show up ........ all the time .....

By now, you just know that you're screwed ... and your computer is infected ... the bad way!

jahewi, Sept. 27, 2006

Mirrored with permission - Content edited to correct spelling errors.