mercoledì 17 ottobre 2007

... ed i falsi PLAYER VIDEO

Cosi' come esistono i falsi CODEC VIDEO esistono anche i falsi programmi PLAYER VIDEO.
Uno dei piu noti e ' 3wPlayer, a cui persino wikipedia dedica un articolo.
Wikipedia lo descrive come " wPlayer is a rogue media player software application bundled with trojans .. "
Questo e' il sito di 3wPlayer


Grafica curata e molti link a faq, consigli su come installare il software e rassicurazioni sull'assenza di malware nel programma.
Peccato che gia' con una scansione del file 3wPlayer-1.7.0.0-setup-0601.exe con VirusTotal emerga una situazione ben diversa:
---------------------------------------------------------------------------------------------
Complete scanning result of "3wPlayer-1.7.0.0-setup-0601.exe", processed in VirusTotal at 10/17/2007 03:40:16 (CET).

[ file data ]
* name: 3wPlayer-1.7.0.0-setup-0601.exe
* size: 1201037
* md5.: bc5112820b1708c5f68a57ea65534938
* sha1: 867136b734fe3b95e4ea99f543630d81ecbf7b4a

[ scan result ]
AhnLab-V3 2007.10.17.0/20071016 found nothing
AntiVir 7.6.0.23/20071016 found nothing
Authentium 4.93.8/20071016 found nothing
Avast 4.7.1051.0/20071017 found [Win32:Obfuscated-BPS]
AVG 7.5.0.488/20071016 found nothing
BitDefender 7.2/20071017 found [Trojan.FatObfus.2.Gen]
CAT-QuickHeal 9.00/20071016 found nothing
ClamAV 0.91.2/20071016 found nothing
DrWeb 4.44.0.09170/20071016 found [Trojan.Packed.149]
eSafe 7.0.15.0/20071015 found nothing
eTrust-Vet 31.2.5216/20071017 found nothing
Ewido 4.0/20071016 found nothing
F-Prot 4.3.2.48/20071017 found nothing
F-Secure 6.70.13030.0/20071017 found [Trojan.Win32.Obfuscated.en]
FileAdvisor 1/20071017 found nothing
Fortinet 3.11.0.0/20071016 found nothing
Ikarus T3.1.1.12/20071017 found nothing
Kaspersky 7.0.0.125/20071017 found [Trojan.Win32.Obfuscated.en]
McAfee 5142/20071016 found nothing
Microsoft 1.2908/20071016 found nothing
NOD32v2 2596/20071017 found nothing
Norman 5.80.02/20071016 found nothing
Panda 9.0.0.4/20071016 found nothing
Prevx1 V2/20071017 found [Heuristic: Suspicious Self Modifying File]
Rising 19.45.12.00/20071016 found nothing
Sophos 4.22.0/20071017 found [Mal/Swizzor-B]
Sunbelt 2.2.907.0/20071016 found nothing
Symantec 10/20071017 found nothing
TheHacker 6.2.8.093/20071016 found nothing
VBA32 3.12.2.4/20071016 found nothing
VirusBuster 4.3.26:9/20071016 found nothing

[ notes ]
Prevx info: http://fileinfo.prevx.com/fileinfo.asp?PX5=14A6205A8D4CA6055365124453270B005EE7401E

-------------------------------------------------------------------------------------------------
Come si vede e' presente il trojan win32.obfuscated responsabile tra l'altro di scaricare malware sul pc.
Queste sono alcune delle modifiche effettuate dal falso player sui contenuti dei folder del pc e del file registro:
------------------------------------------------------------------------------------------------
Files and Processes Affected By 3wplayer
%ProgramFiles%\3wPlayer\settings.ini %ProgramFiles%\3wPlayer\settings.stp %ProgramFiles%\3wPlayer\SkinCrafterDll.dll %ProgramFiles%\3wPlayer\skins\Stylish.skf %ProgramFiles%\3wPlayer\test.gif %ProgramFiles%\3wPlayer\unins000.dat %ProgramFiles%\3wPlayer\unins000.exeC:\Documents and Settings\All Users\Start Menu\Programs\3wPlayer\3wPlayer.lnkC:\Documents and Settings\*USENAME*\Local Settings\Temp\Temporary Internet Files\Content.IE5\%ProgramFiles%\3wPlayer\3wPlayer.exeC:\Documents and Settings\*USENAME*\Local Settings\Temp\Temporary Internet Files\Content.IE5\%ProgramFiles%\3wPlayer\minime.exeC:\Documents and Settings\*USERNAME*\Application Data\Play About\BatBurnDefault.exeC:\Documents and Settings\*USERNAME*\Application Data\Play About\poke dale mail.exeC:\Documents and Settings\*USERNAME*\Application Data\Play About\wpmhjiea.exeC:\Documents and Settings\*USENAME*\Local Settings\Temp\Temporary Internet Files\Content.IE5\C:\Documents and Settings\*USERNAME*\Application Data\"something stupid"\mp3 roam.exe
-----------------------------------------------------------------------------------------------
per certi versi molto simile a questo falso player abbiamo DivoCodec; questo falso codec che praticamente contiene lo stesso malware di 3wplayer.

Questo e' uno screenshot del sito di DivoCodec:


Anche in questo caso VirusTotal evidenzia il contenuto malevolo del file DivoCodec-1.0.0.2-setup-0712.exe:
----------------------------------------------------------------------------------------------
Complete scanning result of "DivoCodec-1.0.0.2-setup-0712.exe", processed in VirusTotal at 10/17/2007 03:40:16 (CET).

[ file data ]
* name: DivoCodec-1.0.0.2-setup-0712.exe
* size: 627376
* md5.: b4e59b9b5556134b7923ff10f5abf001
* sha1: 472deebe085031d688caadb484eb7c7e30d43c5b

[ scan result ]
AhnLab-V3 2007.10.17.0/20071016 found nothing
AntiVir 7.6.0.23/20071016 found nothing
Authentium 4.93.8/20071016 found nothing
Avast 4.7.1051.0/20071017 found [Win32:Obfuscated-BPT]
AVG 7.5.0.488/20071016 found nothing
BitDefender 7.2/20071017 found [Trojan.FatObfus.2.Gen]
CAT-QuickHeal 9.00/20071016 found nothing
ClamAV 0.91.2/20071016 found nothing
DrWeb 4.44.0.09170/20071016 found [Trojan.Packed.149]
eSafe 7.0.15.0/20071015 found nothing
eTrust-Vet 31.2.5216/20071017 found nothing
Ewido 4.0/20071016 found nothing
F-Prot 4.3.2.48/20071017 found nothing
F-Secure 6.70.13030.0/20071017 found [Trojan.Win32.Obfuscated.en]
FileAdvisor 1/20071017 found nothing
Fortinet 3.11.0.0/20071016 found nothing
Ikarus T3.1.1.12/20071017 found nothing
Kaspersky 7.0.0.125/20071017 found [Trojan.Win32.Obfuscated.en]
McAfee 5142/20071016 found nothing
Microsoft 1.2908/20071016 found nothing
NOD32v2 2596/20071017 found nothing
Norman 5.80.02/20071016 found nothing
Panda 9.0.0.4/20071016 found nothing
Prevx1 V2/20071017 found [Heuristic: Suspicious Self Modifying File]
Rising 19.45.12.00/20071016 found [Trojan.Win32.Obfuscated.en]
Sophos 4.22.0/20071017 found [Troj/3WPlay-A]
Sunbelt 2.2.907.0/20071016 found nothing
Symantec 10/20071017 found nothing
TheHacker 6.2.8.093/20071016 found nothing
VBA32 3.12.2.4/20071016 found nothing
VirusBuster 4.3.26:9/20071016 found nothing
-------------------------------------------------------------------------------------------------------

Come sempre, prima di installare nuovi software non conosciuti, il consiglio e' quello di documentarsi un attimo, magari usando un motore di ricerca, per trovare qualche info in piu' su quello che si vuole installare.

Edgar

Nessun commento: