Friday, December 14, 2007

Another malicious domain. The setup file available on the site is malicious. The setup file installs a malicious BHO which displays the following image below the browser address bar.

BHO Details:

Filename: IECodec.dll
Hijack this entry:
O2 - BHO: IECodecBHO - {4507C219-24AA-4813-9561-A2003F9920C3} - C:\Program Files\IECodec\IECodec.dll

Screeenshot taken after installing the malicious setup file.

Once you click on the link provided in the image it takes you to website. The site uses a scare scan tactics to scare the users into purchasing a rogue security application.

The site uses the IP address, which then redirects users into downloading Anti-Virus-Pro (from a well documented Rogue security application.

The and are clone sites of which also redirects users into downloading Anti-Virus-Pro\\ Scare scan page
Further site ( works as a data repository for

Currently none of the security applications on Virustotal flags the setup file as malicious.

Only two scanners detect the BHO as malicious.

Virustotal scan Result: 2/32 (6.25%)

AntiVir 2007.12.13 HEUR/Malware
Webwasher-Gateway 6.6.2 2007.12.13 Heuristic.Malware

Stay away from these sites.

Bharath M N

blog comments powered by Disqus