Avast WEBforum

Other => General Topics => Topic started by: Shiw Liang on March 19, 2010, 05:27:56 PM

Title: A trojan spyware in an avi codec O.O"?
Post by: Shiw Liang on March 19, 2010, 05:27:56 PM

Hi hi and hi again guys :)
I was searching for the avi codec for my windows movie player and I while searching in some websites saying that there is a trojan spyware in the codec and that he is not the author of that

Here is the link for that which is malware free unless you download it:
h**p://avicodec.duby.info/

Title: Re: A trojan spyware in an avi codec O.O"?
Post by: mkis on March 19, 2010, 06:13:22 PM

Yes I ran google Chrome from inside the sandbox and I got the avast warning that site is blocked.

And I check the address hxxp://www.avicodecpack.com/  and so far all good,

avast objects to the above address and that may be because of some of the links on the page

But I went back to that address on yr post and there is obfuscated or corrupted text in the pages that some of the links take visitors. So better change that link to hxxp like mine until we know for sure.


And near the top, there is very large google-analytics.com/urchin javascript link which may be okay

hxxp://www.google-analytics.com/urchin.js\
I'll check that address in the sandbox as well - the google analytics link is actual broke

<script src="hxxp://www.google-analytics.com/urchin.js" type="text/javascript">

may just be unable to go there

Title: Re: A trojan spyware in an avi codec O.O"?
Post by: Pondus on March 19, 2010, 06:18:21 PM

AVICodecPackLite3.exe
http://www.virustotal.com/analisis/d61ae99e628ef63ea95151648d1ccc5db69621e6b531da0c9da62336db59f190-1269018707

AVICodecPackPlus21.exe
http://www.virustotal.com/analisis/f16a2a4a33f5bf520c2054e343616f2121f4d408794a50ac444ab32805fbeb1c-1269018737


sendt to avast and MBAM........

Title: Re: A trojan spyware in an avi codec O.O"?
Post by: mkis on March 20, 2010, 12:31:32 AM

Hi there, I want to post how is this google analytics tracker, the large size of it, and the fact urchin tracker is different from other tracker code that I have seen. That said, however, the script does not generate any warnings or alerts, so there appears nothing malicious about it. Just interest value really. btw, I have de-actioned the script by adding a random x here and there --

<script src="http://www.google-analytics.com/urchin.js" typex="text/javascript">
</script>
<script type="text/javascript">
_uacct = "UA-136525-1"x
urchinTracker()x
</script>


The script is entered in the <head> just above the page title - AVIcodec is a free multimedia file analyser for Windows (btw, different from the address title in the <head> - AVIcodec, a free multimedia file analyzer), which would imply that, by its positioning and if it is running as it should, tracker urchin will be activated by any visits to the page.

here is link for the urchin tracker script
- I will leave it on the site for only a day or so, for yr interest, then delete it

http://eduspaces.net/mkistech/files/-1/29794/cookie1.txt

Title: Re: A trojan spyware in an avi codec O.O"?
Post by: Shiw Liang on March 20, 2010, 03:57:18 AM

okay thank you mkis and pondus ^^

Title: Re: A trojan spyware in an avi codec O.O"?
Post by: mkis on March 20, 2010, 05:48:52 AM

I think the page is okay Shiw Liang. I just thought that AVICodec and Pack came up too often on the page, and that deactivating the link would be a fail-safe solution - that would prevent accidents from occurring. But now I'm all but 100% certain that the page is malware free. Problem was that it was a bit too much to go through the page from start to finish.

It looks as if Philippe Duby is an unfortunate victim in this affair. I could see that he's put in a lot of work into building these packs. Impressive really. If you are viewing page source, then you'll be getting some good insight into his builds. If there was something you thought would be useful on the page, I wouldn't hesitate to email him and ask directly yr questions (about the download, or the running, or whatever else). And I've posted his tracker pack as well - omg what a pack! What a nuisance I am. But I will be removing that page and the link to it tomorrow morning. I just wanted the members to see the google urchin build for their own knowledge and experience. Say, for next time reference is made to urchin, or when they find a build of it running somewhere else, perhaps. That's all.

I start to have a fine appreciation of M. Duby's talent as I worked through the page. But you would know better than me. This is not really my specialty at all.  I remove the urchin script tomorrow and move on.

Title: Re: A trojan spyware in an avi codec O.O"?
Post by: Chris Thomas on March 20, 2010, 09:41:57 AM

Why do you need codec?

If you want to play videos

I would give 4/5 stars for VLC media Player

http://www.videolan.org/vlc/

Title: Re: A trojan spyware in an avi codec O.O"?
Post by: mkis on March 20, 2010, 01:06:28 PM

VLC always seems to rate well on any comparison terms, Chris.

For myself, I use Windows media player 11 - my own video clips I make to .wmv
and powerISO for hard copy or for ISO images, and so on...
And that's about it, not much time left for anything else.


I think Shiw Liang does anime - now I'm not going to define what that is, because I couldn't, but I do know the genre as such and the media frames that are produced.

Title: Re: A trojan spyware in an avi codec O.O"?
Post by: JuninhoSlo on March 20, 2010, 03:54:24 PM

Quote from: Chris Thomas on March 20, 2010, 09:41:57 AM

Why do you need codec?

If you want to play videos

I would give 4/5 stars for VLC media Player

http://www.videolan.org/vlc/

K-Lite Codec+MPC= Perfect Combination ;)

Title: Re: A trojan spyware in an avi codec O.O"?
Post by: .: L' arc :. on March 20, 2010, 04:06:57 PM

You might also want KM Player (http://download.cnet.com/The-KMPlayer/3000-13632_4-10659939.html)

It's on par with VLC but I chose KM for its classy black interface, lots of flexible preset configurations and light resource use. Hope it helps.