New fake codec malware

May 15, 2009

SonicWALL UTM Research team came across a new Fake codec malware drive-by site posing to contain nude Rihanna video.

The drive-by site was actively serving the malware at the time of posting this alert: | --> http://tumler(REMOVED)/2.html  |  -->   |   --> Mediacodec_v3.7.exe (1,984,538 bytes)   detected as GAV: FakeAlert.BDP (Trojan) 

The downloaded malware executable file looks like:


It performs the following activity on the victim machine:

  • Creates multiple directories including (App Data)PCenter and (Program Files)PCenter.
  • Drops multiple files including (Program Files)PCenteragent.exe and (Program Files)PCenterpc.exe.
  • It adds registry keys to ensure that agent.exe and pc.exe starts every time on system reboot:
    • HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunagent.exe = "(Program Files)PCenteragent.exe"
    • HKEY_CURRENT_USERSoftwareMicrosoftWindows NTCurrentVersionWinlogonShell = "(Program Files)PCenterpc.exe"
  • It creates following mutex objects to mark its presence on the system:
    • AMResourceMutex2
    • VideoRenderer
  • It sends HTTP request to below URLs:
    • http://194.165.4.(REMOVED)/software_response.php?uid=1235

The screenshots of the drive-by site and the Fake codec Trojan being downloaded are shown below.

Main site posing to host nude Rihanna video:


When user attempts to start the video, it opens a new page asking the user to download a certified ActiveX video codec (VAC codec) to protect content Copyrights. The page looks like below:


If the user clicks on the video frame again then it downloads the malware executable file as seen below:


The Trojan is also known as Win32/Adware.PrivacyComponents [ESET], Trojan.FakeAlert.BDP [BitDefender], and Cryp_FakeAV-12 [Trend Micro].

SonicWALL Gateway AntiVirus provides protection against this malware via GAV: FakeAlert.BDP (Trojan) signature.