I think (or rather, hope) that by now everyone knows a little bit about fake codecs. At least that they are dangerous.

However, I can imagine that just seeing an article which tells you that this or that is dangerous, is not very clearifying, sometimes.

This is what i was thinking the last few days. After my blog about X Password Generator, we got a number of responses from people wich where infected or just where searching for more information.

So, I thought - Okay, let’s go all the way and make a grand tour of a typical installation of those fake codecs and simular infectors, like X Password Generator!

So, if you please follow me, i’ll give you a tour on how to get screwed the easy way.

And after the tour, offcourse you can discuss it with me in our forum.

Needless to say that, if you think your computer has been infected by a fake codec, we will be glad to help you to get rid of the problem in our HijackThis-forum.

I’m very sorry that I have to post this story. A story in which good guys take a wrong turn. And it took me (and Andy) some time to be convinced.

I just have to post this. So let’s take a walk and mind the pits.

I’m one of those guys that is always on the lookout for nasties and malware-problems. Yes, I actually go look for them, infect my computers with them and write about it on sites, forums and weblogs.

Offcourse, after being infected with the worst, I need scanning and cleaning-tools to get my test-computer in the right working-order again. So, i’m also always on the lookout for new developments in the world of malware-scanners and cleaners.

This was the case last sunday when I went to the site of ClamWin (a great, free, opensource virusscanner) to see if there was anything new and to download the latest version.

What was bugging me from the moment I entered on ClamWin-site, was their google-ads … they were nasty!

When I ran into a google-ads for WinAntivirus2006. I had more then enough. So I wrote a topic in their forum, telling them about the google-ads (especially the WinAntivirus 2006).

I got an answer from the Site-Admin, called alch. The answer was very strange to me. Avoiding my claim and pointing at google to be blamed.

Instead of asking me for more information or for my solution, alch asked me complain to Google, which is, according to him/her, to blame for the ads!

Excuse me, but who owns the ClamWin-site? Google? Somehow i doubt that very much.

And who asks Google to display those ads? Who gives permission for those ads? That’s right, the real owners of the ClamWin-site!

So there is no one who can (or will) do something about those ads, other then the owners of the site?

Well okay, I tried again and clearly offered my help in dealing with the problem.
Can you imagine that I really thought that I (as a non-English guy) was missreading his/her answer? That somehow i didn’t read it right?

Because, the answer was quite simple. It seems there absolutely was no problem!

According to alch, I had just imagined it all. There was no google-ad for WinAntivirus 2006 on the site, just an ad for wnantivirus (according to the alch a good site). Which linked to macrovirus.com.

Right! How stupid of me! Just call me blind and send me along!

Offcourse, trying to get rid of me, often is much more easy then to actually read what’s been written and even try to learn from it! Offcourse I really saw the WinAntivirus advert. And the person that answered my post, just doesn’t have a clue of how Google adverts work and hasn’t thought of it for one second!

Even when alch doesn’t know anything about Google adverts, he/she still could have stopped and think that it’s possible that Google Ads rotate …. instead of trying to make my feel like a fool. Because, when alch (or someone else) finally, after a few days, took a second to look at the Google-ads, the WinAntivirus-ad, offcourse, was long gone!

It’s too bad. He/she could have made the site a whole lot safer, for those people that come there for a good way to protect themselves against scumware. For which there are ads on that same site.

I won’t say they are deliberately having those ads on their site. Maybe it’s worse, maybe they just don’t care.

Let me be clear. I still think that ClamWin is a great virus scanner and being an OpenSource-program makes it very special to me.

Still, when I advice a virusscanner to other people, it won’t be ClamWin as long as those people are in danger of clicking the wrong ads on the ClamWin-site.

If anyone wants to discuss the matter with me. You can always find me in our forum.

Media Coverage - Faill.com - Digg.com - Digital World

A security issue has been identified in the way Vector Markup Language (VML) is handled that could allow an attacker to compromise a computer running Microsoft Windows and gain control over it.

This vulnerability was discovered sometime ago and it has seen some action to say the least. However now Microsoft have released a patch for it.

If you’ve by any chance read on other blogs and unregistered the vgx.dll, you will need to re-register it.

You can do this by typing the following by clicking on Start then Run:

regsvr32″%CommonProgramFiles%\Microsoft Shared\VGX\vgx.dll

And click on Ok.

So go visit our forum for all the details on what to do to get yourself patched! Or just make sure the mentioned file is registerd and visit Windows Update!

You know because malware never hides! LOL

Reading a blog post over at BleepingComputer this latest disguise involves Surf Sidekick being rebranded almost as DeluxeCummunications!

The evidence to support this is very simple. The IP address used for surfsidekick.com is 66.51.207.27 which is hosted at DSL Extreme. The same as dxcdirect.com, 66.218.58.107.

That’s not it! The files that come with these programs are very similar indeed:-

Comparison of Files

%Program Files%\SurfSideKick 3\Ssk.exe
%Program Files%\DeluxeCommunications\Dxc.exe

%Program Files%\SurfSideKick 3\SskBho.dll
%Program Files%\DeluxeCommunications\DxcBho.dll

%Program Files%\SurfSideKick 3\SskCore.dll
%Program Files%\DeluxeCommunications\DxcCore.dll

%Temp%\sskupdater3.exe
%Temp%\dxcupdater3.exe

%Temp%\??.tmp
%Temp%\??.tmp

%Temp%\??.bat
%Temp%\??.bat

Oh and their sites FAQ’s is a classic comedy comparison! All be it Surf Sidekicks is down at the moment (like we are suprised). But with the magic wand and help from BleepingComputer here you can find the comparison in images:-

Surk Sidekick (surksidekick.com)

DeluxeCommunications (dcxdirect.com)

So yeah there you have it! Not only do the files look similar. The respective pages are dead ringers too!

They must think we was born yesterday or something. Anyway, in the meantime why not discuss it on our forum! And as always, if you want rid of this baddie then visit our free assistance forum!

This new find was brought to you by sUBS and Mickie. Great work!

I can happly say that securitycadets has been accepted into the ASAP community.

A bit of info what ASAP is about:-

ASAP stands for the Alliance of Security Analysis Professionals.

ASAP started out as a small band of security sites under seige, and is rapidly expanding to include the “Best of the Best” the Internet Security Community has to offer.

ASAP is made up of website and forum owners and administrators, forum and site staff, individuals, companies and various organizations dedicated to providing security related support to computer end users.

ASAP is a joint effort designed to assist helping end users with as seamless a process as possible by using methods such as cross-referrals, multiple product support services, easy information access, and cross referencing/verification.

More info can be found here.

All the current site members will be added to that page shortly. However if you want to know which sites are currently members. Then please visit the official ASAP page!

This has come as great news for our site as we pride ourselves on given you the best advice/help. And hopefully it will also reassure you that our help is some of the best you can get!

Please join the party in our forum! :D You never know we may give you some breadsticks! :)

The good thing about these are that one was caught before it got released or at least take down a network and collect data.

Pipeline:-

This infection starts by one of the ways IM worms work. Via a web address passed onto you in an IM window.

When you click on the link you get a “csts.exe” file. This file then starts to make calls to many domains. And its last port of call so to speak is to a server in Korea.

For a full write up and analysis, visit the Greynets Blog.

Heartworm:-

This worm attack is cloaked in a virtual card Hoax - W32Heartworm.A.

“The Net has a long history of hoaxes and many of the “best” seem to involve dire warnings of virus attacks that simply don’t exist. Whether you’re being asked to delete teddy bears or avoiding the gaze of the all seeing eye, there’s a rich history out there that bad guys could have some fun with. Well, sure enough, some hackers seemingly decided to create a kind of potted history of online web hoaxes, and tie it into an actual infection. There’s an instant messenging infection currently on the prowl that has a little fun at the good guy’s expense, and toys with the notion of making a Net urban legend come to life. How is this done? Well, it’s fairly subtle and not everyone would appreciate the rather warped humour.”

For a full write up and analysis, again visit the Greynets Blog.

Since my last post a few days ago SiteAdvisor have given back Rokop-Security their green rating!

Great work! If you know of a site/forum that has been given a red rating by accident because of links in HJT logs. Feel free to comment and tell us! We will pass on any info!

The answer is yes! And in the same way they rated previous security sites.

You know:-

• Crawler picks up bad HJT line and its link.
• Crawler reports back.
• Site gets red for having a bad download.

However the security site in question had this download tested back in May. And some four months later, even after the last fiasco, it still recognises this security site as bad.

What worries me is that we mention all the big sites that got a red rating, and they get changed. But all other languages kind of get put away in the corner. Like Rokop-Security.de.

Now I have been informed that this is a great support forum. And as other forums, it assists in HJT.

This is the thread in question about the bad download. And if you can read German. Even better!

So what has been done since they left a comment on our blog?

“What happened is that as we expanded our crawling capacity to check more and more pages on sites, we ended up crawling forums. Naturally, a lot of forums have links to bad sites or bad downloads.

Unfortunately, we didn’t catch this before the data went live…the good news is that these results were only public for about 24 hours before we fixed them.”

This is why we still have red ratings since testing the download in May?

• Yes, loads have been rated back to green.
• And yes we know our forums have bad links in HJT logs.

But it still doesn’t make it right that after a month since we mentioned it a site that had the download tested in May is still red.

All credit to SiteAdvisor for acknowledging their mistakes. However I dread to think how many forums in different languages are still rated as red/yellow?

Why not offer your slang on this issue in our forum? Any comments are always welcome!