Security Corner

Sep 21 2008   5:10PM GMT

Beware of the Fake Video Codec Malware Trick

Ken Harthun Ken Harthun Profile: Ken Harthun

A variant of Win32/Zlob is being spread by cybercriminals via the fake video codec trick. Through misdirection or outright deception (including social engineering), users are sent to a site that has what appears to be embedded video. When they arrive at the page, there’s a message in the viewer similar to the one shown at “The ZLOB Show: Trojan Poses as Fake Video Codec, Loads More Threats.” If the user falls for the trick, Zlob trojan is downloaded and installed.

The variant, posing as “MediaTubeCodec.1.220.2.exe”–a name that should arouse suspicion in savvy users, but probably looks “official” to the unenlightened–was recently analyzed by Microsoft (see “Another Reason to Avoid Piracy” in their Microsoft Malware Protection Center blog). Microsoft updated its detection signatures to detect this variant as TrojanDownloader:Win32/Zlob.gen!CD. If diagnostics on a user’s PC (netstat, for example) reveal connections to any of the following, assume infection and take appropriate action:

  • hxxp://
  • hxxp://
  • hxxp://

According to the blog, “Only the first two are responding at the time of writing—both appear to be running nginx [pronounced “engine X”] (a lightweight web/mail server), one server is hosted in the USA and the other in China. So please folks—avoid piracy, and be wary when a website insists that you download a new codec in order to watch a video or listen to a song.”

 Comment on this Post

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

Share this item with your network: