If you download and plan on running what you think is a codec named “multycodecupgr.7.<20xxx>.exe” (as in “multycodecupgr.7.20680.exe”), you should be aware that users have been effected by this phony codec over the weekend and today in surprisingly high numbers. The file drops a couple of executables. In our lab they were often named a singular letter, like “a.exe”, “b.exe”, “d.exe”, you get the idea. These few files then barrage the user with the usual shock messages that the system is infected, although now they also claim that your system is “probably” infected…
The malware drops “sav.exe” in a self created “program filesAntiVirus 2008″ directory. It’s all related to the AntiVirus 2008 software, warning the user of Blaster.Sasser and other inaccurate scanning results that need to be cleaned up for a price:
Pricing can be found at hxxp://www.s-av2008.com, starting at almost 40 clams. Avoid the site:
It seems now that Atrivo/InterCage is off the grid, these groups are moving resources to host urls like “dowload -best -warez.com” (126.96.36.199, 188.8.131.52) quickly.
Update: What started out as a few redirect links from a potentially compromised small-business t-shirt selling web site is now spreading. While the pages served at the iframe-based redirect link from the original site is down, the phony codec file is showing up on numerous adult sites.
It is advisable not to run the multycodec executables in circulation right now.