NEWS FROM THE LAB - Wednesday, March 25, 2009

Another Day, Another Video Site with Malware Posted by Response @ 06:53 GMT

We recently received reports of a file named "ActiveXsetup.exe", which was downloaded from http://world-tube .biz.


For people that want to play the video, there's a notice written on the page on red font that "You may need to download an ActiveX video codec (VAC)…". This old trick is well-known and commonly used by other malware.

Remember the Facebook site that attempts to trick people into downloading and executing a fake Adobe Flash Player?

Still, what happens when an unsuspecting user downloads the "ActiveXsetup.exe codec", thinking it is legitimate software? Here’s the snapshot of it, as it is executed:

TDSS installer

The file is a NSIS setup file, with a "Playme.exe" file inside the archive. Turns out the setup file is detected as Trojan:W32/TDSS.BR, while the Playme file is detected as Worm:W32/TDSS.BU.

So, more video sites serving malware. Watch out for these sites and stick to the trusted ones.

Response Team post by — Lordian