Web video nasties being used to spread malware

Videos containing reactions to video nasties and giving links to movies themselves have been flooding the internet for weeks. Now that viral distribution has obtained sufficient visibility, it's apparently time to cash in. Swindlers are riding the nausea wave and attempting to foist their garbage, as a special codec, on the masses seeking personal experience.

Videos mainly aimed at inspiring disgust in the viewer have been with us almost as long as the web. A newer phenomenon, made possible by video sharing sites such as YouTube, is the response videos showing people's reactions to seeing such shock movies. This enormous publicity this has generated has attracted thousands more of the inquisitive to the sites from which the video nasties could be downloaded free of charge.

But now that the viral effect of the campaign has attracted sufficient attention, it's time to start collecting fares. The sites still exist – but anyone clicking the Play button now lands on a site which, ostensibly for an age check, asks not only for name and email address but also for credit card numbers and bank details – all supposedly still free of charge. McAfee's SiteAdvisor regards EasyAccessNow as "very spammy". One victim has told the consumer-protection site at Ripoff Report that he was charged $39 for the allegedly free offer on several occasions.

But even if you smell a rat and set out on your own, looking for alternative sources, you're living dangerously. Discussions of the videos now contain heaps of links to supposedly alternative sources, but they almost always take you to sites that will try to install malicious software. A dialog box often asks you to install an additional codec or a required ActiveX control.

Tests by heise Security found that this regularly downloaded and installed malicious software. The protection afforded by antivirus software turned out to be still very patchy. Over the weekend, only a few antivirus programs identified install_player_3912981.exe as a downloader (Antivir: TR/Downloader.Gen), and more than a dozen reported nothing. Once run, the program called down a file named drv32.data from the web site creatonsoft.com, which is hosted in China. The Malware Domains list shows this site as a source of malware. In fact, the program created the library msvidc32.dll, which Microsoft's Onecare (Trojan:Win32/Delflob.I), F-Prot (W32/Banload.E.gene!Eldorado) and Ikarus (Trojan-downloader.Delf.OGX) identified as problematic, while most virus scanners found nothing objectionable.

Anyone who goes looking for these videos in spite of all this should observe the utmost caution – or would perhaps do better to think again about whether he will actually prove anything this way.

(mba)