endellion.me.uk VideoAccessCodec Revisited
Searching Google for "emergency cooking substitution" gives a list of bulletin boards that have been blighted by these codec mongers. I picked www.shimon.net, which gives me this warning. (I wonder who the "trusted source" is.)
But I want to run this thing on a Windows 2000 computer (called "Baal") instead. On Win2K I am not given this particular warning. After allowing scripts ("marked safe") a few times, I get an ominous warning saying to insert the Windows 2000 installation disk in to the CD drive, as system files have to be copied back to ensure proper functioning of my computer. There's no time for this, not even time for a screenshot, because the computer is already rebooting...
Something has been downloaded from vipasotka.com (/adw_files/5039/9830841b/install/exe?id=1 to be precise). Baal has contacted "activex.windowsmedia.com.akadns.net" to POST "/objects/ocget.dll" but this gets a "Not Found" response. I don't know what the relevance of this is. Probably it has to do with Windows 2000 being no longer supported.
After the reboot I have a new process running called "braviax.exe" located in the system32 directory. Another copy of this has been placed in the WINNT directory, and another in the TEMP directory. Another new file is cru629.dat. And I have a new entry in the auto startup list called jmvs.exe. I have a modified "beep.sys" (gone from 4 KB to 31 KB) in the system32\drivers folder and the dllcache folder. Presumably this is what Windows was warning about before the reboot.
To complete the list of added files: there's a "delself.bat" on the desktop and in the c: directory, which says to delete jmvs.exe from C:\Documents and Settings\All Users.WINNT\Start Menu\Programs. There's univrs32.dat and winivstr32.exe, both in system32.
However, the most noticeable thing is a big red x in the systray and a new balloon popping up telling me that my computer is infected! With spyware! No kidding, Sherlock!
So much for the promise of codec to view bare-bottomed russian beauties...
Removal, quickly
Nastily enough, this process hides itself from the Windows task manager, as well as Sysinternals' Process Explorer. This makes removal a little bit more of a pain, but can still be done. The two beep.sys files can be renamed. Rename as many as the others as possible. I always stick ".virus" at the end of the existing filename, which makes it easy to round them up at the end by searching for this extension. The cru629.dat is in use, so change the permissions so that users Administrator and SYSTEM are not allowed to execute. Search the registry for braviax and cru, delete all keys referring to them. Now reboot. The virus doesn't start, but the cru629 file is still in use. Go through the registry again, searching for cru. Delete the key referring it, reboot again. Now it is possible to delete the cru thing. End of virus. (I didn't actually click on the red x to install anything, I'm told that doing this brings in a lot more nastiness...) (Oh and if you have an install disk, you can extract a new beep.sys from there. Wouldn't want your computer not to be able to beep now, would you.)
Examination: What the hell is this thing?
There is something quite ironic about masquerading a virus as an anti-virus, and then charging someone for the pleasure of running it. Even more so since one of the ways to get this virus is by clicking on links promising "free" pornography on YouTube. But then these links, posted on bulletin boards, are propagating themselves by using search terms such as "carribean family cruises," "review for game boy advanced" and "gross national product of Germany" and the such. Hardly the search fare of a hot-headed whore hunter...
Actually one of the phrases posted over and over is "home infant made toy" so I typed this into google. This gives two pages of results, showing which bulletin boards don't vet their postings. Opening a few shows that one enthusiastic perpetrator of this scam is known by the moniker "Amiranuraskirtase" which sounds obscure enough to do a search for. This leads to a list of boards this individual has been posting on. For example, team-300.net, where he has clocked in 1808 posts which works out at 67.90 posts per day. And iprong.com: 1516 post, 56.15 posts per day. There's more like that, so Amiranuraskirtase is a busy chappie indeed. He/she/it professes to reside in the US of A, work in the insurance industry, and have an interest in the performing arts. Sweet. All these posts are cut&paste jobs. One board, theasylum.cc, doesn't show the images, only the URL. This leads to http://hutchinsonkansasnewspapers.net/images-hosting/2.jpg and 4.jpg and 7.jpg and so forth.
This is not your regular image hosting, however. Stripping the URL down to bare bones leads to an immediate attempt at installing yet more "anti-virus". The first window pretends to be scanning my hard drive, which is followed by the "result": I am loaded with the buggers! Weirdly enough the lengths of the scroll bars don't match. I will ignore the insult to my (admittedly limited) intelligence that is the "ENCRYPTED Secure site" thing there. Pfff.
Now I have to install something to get rid, of course. This time the choice is "Vista Antivirus 2008" and it's FREE! Wow. How generous of them.
The whois information about this site:
[root@test ~]# whois hutchinsonkansasnewspapers.net Domain Name: HUTCHINSONKANSASNEWSPAPERS.NET Registrant: Creation Date: 27-Feb-2008 Domain servers in listed order: Administrative Contact: Technical Contact: Billing Contact: Status:ACTIVE |
The download of the anti-virus virus has to come from http://scanner.vav-scanner.com/. This is registered by one "Leonid Sherbakov" who seems to be an athlete and probably unaware of his exploits in this market. His email address is given as selevitenterprises@gmail.com. However, the actual server is in Frankfurt, Germany though. The actual setup.cab is only small, weighing in at 22 KB, and consists of two files: setup.inf and setup.dll.
selevitenterprises@gmail.com doesn't give any results in google, but selevitenterprises does. The website http://selevitenterprises.com/ is used to peddle more anti-virus-virus, and is also registered by "Leonid" at gmail.
A little bit of searching reveals absolutely hundreds of semi-interconnected domains, registrants, sites, servers... All waiting to show off porn that won't work without the anti-virus codec :-). It's a seedy underworld-wide-web there with fake bulletin boards containing thousands of posts linking to hundreds of websites. In fact, it's dazzling before my eyes now. And I still haven't seen any pricing structure for this darned Vista Anti Virus thing.
Interesting side-note: all these webservers are running nginx (http://www.nginx.net/). (http://royal.pingdom.com/?p=277)