Wanna Watch Videos? Watch out its a worm!
Tuesday December 12, 2006 at 9:55 am CST
Posted by Bhaskar Krishna
As we know there are many websites offering videos of celebrities for free where its major viewers are youngsters.
Here we have a webpage “www(dot)leaked[REMOVED]videos(dot)com” which by its title looks to have a large collection of celebrity videos. The user visits the site, follows the instructions, then ends up installing a worm instead of watching celebrity videos.
The webpage displays “Windows Media Player cannot play video file. Click here to download missing Video ActiveX Object” attempting to get the user to install “missing plugins” for Media Player as shown below:
If user clicks on the (Click Here) hyperlink in the browser they will end up downloading a program called mpg2-3.0.1.exe, as shown below:
Upon execution, mpg2-3.0.1.exe displays the fake error message box shown below and installs a worm called Nugache.
We caution all internet users from getting infected by these fake online video sites found while surfing the web as we continue to protect our customers against such social engineering attacks.
December 12th, 2006 at 11:02 am
SiteAdvisor users should pay attention to the user comments at any websites that seem to offer something for free, whether it’s videos, screensavers, smilies, wallpaper, etc. SiteAdvisor is a free download from McAfee:
http://www.siteadvisor.com
From studying these types of sites, I’ve found that the bad guys repack their malware very, very frequently (sometimes several times a day) to evade direct signature detection by antivirus vendors. So DO NOT assume that a lack of a virus alert from your antivirus software means that the download is safe.
December 12th, 2006 at 9:39 pm
This is a very helpful article,
We always assumed that it is installing video codec, but at the background it was installing worm.
Thanks for your article.
December 13th, 2006 at 10:31 am
Recently, my favorite forum also been spam with similar site which those spammers tried to post those message in the forum.
Interestingly, they posted Britney Spears nude photos and provide a link to watch the video which in fact it’s a malicious file which infects user machine.
User should practice some security measures in order to combat with those social engineering attacks nowadays.
I’m worry that the similar trick will continue to exists which will be applied by cell phone malware creator to trick user to download the malicious application into their phone. Like last time, they have created a theme with a celebrity nude photo and innocent user is aware that it contains malicious components inside which will carry malicious act. We call it as DoomBoot variant.
User are advice to get rid of those suspicious file.
January 6th, 2007 at 12:28 pm
[…] Trackback As per my previous blog, many websites offer free video online in an attempt to install malware on user’s systems without their knowledge. Here we have one more which claims to offer a Video Access ActiveX Object (VAX), which is a new way to access free multimedia content on the Internet. The webpage attempts to look more professional by including information like an introduction to ActiveX, EULA and download link as shown: below. […]
January 8th, 2007 at 7:28 am
[…] As per my previous blog, many websites offer free video online in an attempt to install malware on user’s systems without their knowledge. Here we have one more which claims to offer a Video Access ActiveX Object (VAX), which is a new way to access free multimedia content on the Internet. The webpage attempts to look more professional by including information like an introduction to ActiveX, EULA and download link as shown: below. […]
February 6th, 2007 at 1:05 pm
Extremely good advice. You offer a valuable service w/this security research site. Please keep up the good work.
March 8th, 2007 at 12:38 am
Almost clicked on it cause I really wanted to see the videos and it seemed legit, but screen looked exactly as described and signature website doesn’t exist, or has restricted access, so I had to type in parts of the message to finally pull up this info on the high risk. Thank you for the safety net.
July 3rd, 2007 at 5:40 pm
[…] Be careful when watching online videos, especially when they ask you to install a certain codec to watch the video. By default, your mediaplayer should already have the necessary codecs installed to watch online videos. In case you’re prompted to install an additional codec while trying to watch a movie online, it may be a false alert and this so called codec may install malware. More info here and here. […]
August 13th, 2007 at 7:02 pm
[…] Be careful when watching online videos, especially when they ask you to install a certain codec to watch the video. By default, your mediaplayer should already have the necessary codecs installed to watch online videos. In case you’re prompted to install an additional codec while trying to watch a movie online, it may be a false alert and this so called codec may install malware. More info here and here. […]
September 14th, 2007 at 6:05 am
thanks for your atentions too tell the truth
September 26th, 2007 at 10:59 am
[…] Be careful when watching online videos, especially when they ask you to install a certain code to watch the video. By default, your media player should already have the necessary codes installed to watch online videos. In case you’re prompted to install an additional code while trying to watch a movie online, it may be a false alert and this so called code may install malware
October 29th, 2007 at 6:00 am
As it puts you in a loop, How do you get the boxs off the screen without going to control,alt,delete?
December 4th, 2007 at 10:54 am
r the tip about fake videos but how can i get the copy of active video object so i can watch film etc cos i don’t know what i’m looking for and what would help to run my /film cds if i don’t get the right item i would be grateful for your help and where could i get the free download from?
December 12th, 2007 at 1:15 pm
Hmm.. Seems it’s more than just the ‘Zlob’ trojan that is being advertised through “codecs”. This is the first IRC (Internet Relay Chat) bot I have seen infecting users with this particular form of social engineering.
December 29th, 2007 at 12:12 am
i was about download it. then thought something suspicious. so i searched it and got some information regarding it from avertlabs.com . thanks for cautioning me.
February 14th, 2008 at 6:33 am
I found this info very useful, but unfortunately after getting my pc infected with one of the worms downloaded to my pc in same fashion….installing so called missing codec from xtube.com