Saturday, March 01, 2008

WebVideoSetup and Multimedia Decoder

This is an interesting piece of malware! The Multimedia Decoder, as the name suggests, disguises itself as a video codec. The installer of this fake codec is named as WebVideoSetup.exe. Here's a screenshot of a webpage which drops WebVideoSetup:



When the installer is executed, it downloads a DLL and registers it as an Internet Explorer BHO (with GUID {7CF52009-F408-49AE-BBCB-6279CB53BB42}). This DLL is named as wmpdxm.dll and is dropped to %WINDIR% directory. This file should not be confused with the genuine wmpdxm.dll which is a Microsoft Windows Media Player extension and is located in %SYSDIR% directory.



The fake wmpdxm.dll is poorly detected and only 5 AVs at VirusTotal managed to detect this. Here's a report from VirusTotal scan:
F-Prot - W32/Banload.E.gen!Eldorado
Ikarus - Trojan-Downloader.Delf.OGX
Microsoft - Trojan:Win32/Delflob.I
Sophos - Mal/Emogen-N
Sunbelt - Trojan-PSW.Win32.Hooker.24.c (vf)


Detections for the installer WebVideoSetup.exe is comparatively better:
AntiVir - DR/Delphi.Gen
BitDefender - Trojan.Delf.OXW
DrWeb - Trojan.DownLoader.12890
eSafe - Suspicious File
eTrust-Vet - Win32/Burgspill!generic
F-Prot - W32/Heuristic-MU3!Eldorado
F-Secure - Suspicious:W32/Malware!Gemini
Ikarus - Trojan-Downloader.Codec.C
Microsoft - Trojan:Win32/Delflob.I
Panda - Suspicious file
Sophos - Mal/DelpDldr-E
Webwasher Gateway - Trojan.Dropper.Delphi.Gen


On a side note, the creators of this malware seem to hate Steven Spielberg for some unknown reason! However, they got his name wrong. Check out this screenshot to know more!

0 Comments:

Post a Comment

<< Home