fake codec

[Kayrac]

starts off here

Code: [Select]

codechost.com/codecpack.v.1.0.0.exe
then promptly downloads

Code: [Select]

http://softupdat.com/advset/setup0.exe
http://softupdat.com/bho/get_ie.php?pin=0
http://softupdat.com/download/scan.exe
http://softupdat.com/promo/promomodule1.exe

side note, it downloads this

Code: [Select]

http://stat.avxp08.com/soft3/common/14.gifwhen visiting, you get a weird picture, dunno why it would be dling that


i THINK thats all it downloads, but it could dl more

[JohnC]

Thanks.

[philipp]

in a spam mail today:
hxxp://menudopiso.com/avi_1/avi.php
--> hxxp://195.93.219.253/hotvideo.avi.exe (md5: a41103ce9f4797c7b391101718eda84c)

request::
hxxp://avxp-08.com/images/1217131846/687a874463df9e3b7abb1f2150607f7a/a061d6e4-7728-4a0f-837e-28a1fc9c9440.gif
--> hxxp://stat.avxp-08.com/soft3/common/14.gif
      filetype: 14.gif: GIF image data, version 89a, 100 x 100
      md5: e6c0774ddfcbf243332e591f8cbe01ea

register itself at webserver:
hxxp://avxp-08.com/images/1217131852/687a874463df9e3b7abb1f2150607f7a/a061d6e4-7728-4a0f-837e-28a1fc9c9440.ok?id=14
reply: OK

submit data (sys info etc):
POST /log2.php?affid=687a874463df9e3b7abb1f2150607f7a&uid=a061d6e4-7728-4a0f-837e-28a1fc9c9440&tm=1217131852 HTTP/1.1
Host: www.winifixer.com

request:
hxxp://avxp-08.com/images/1217132453/687a874463df9e3b7abb1f2150607f7a/a061d6e4-7728-4a0f-837e-28a1fc9c9440.gif
-> status code 404, not found

from now on the last two requests (submitting data and downloading nonexistent image) are made about every 10 minutes.

in between, the following request is made, probably to make the whole thing look 'legit':
hxxp://www.avxp-08.com/updates/check.html
reply:
<pre>
APP_VER=3.5.1.20
DATABASE_VER=3.5.1.20
SIGNATURES=60532
DATE=17/12/07
</pre>


edit:
i am posting this here, because it is a very similar behaviour as that described by Kayrac. while not using the exact same hosts it still seems related.