Found new fake codec – nvidcodec. The codec is malicious programecs that deliver popup advertisements and hijack search engine results. Some AV vendors detected the codec as Trojan.Downloader.Zlob
Homepage for the codec – nvidcodec[dot]com have not link to terms of use (EULA). For read it, i have downloaded and run nvidcodec for install. Installer manager opens window with terms of use, and what i have found:
SOFTWARE INSTALLATION: Components bundled with our software may report to Licensor and/or its affiliates the installation status of certain marketing offers, such as toolbars, and also generalized installation information, such as language preference and operating system version, to assist Licensor in its product development. No personal information will be communicated to PORNMAGPASS or its affiliates during this process. Licensor may change homepage on user’s computer and may offer additional components through our version of checking/update system. These components include: toolbar, popup ads manager, advertisements messenger, pc protection software, shortcuts manager.
Read EULA from my previous post: Pornmagpass – free pass to get popups, rogue antispyware, toolbar.
Also i have found link to another site – media-codec[dot]com, the site also have similar Terms of use:
… Licensor may change homepage on user’s computer and may offer additional components through our version of checking/update system. These components include: toolbar, popup ads manager, advertisements messenger, pc protection software, shortcuts manager….
After that, i have checked whois info for media-codec[dot]com, nvidcodec[dot]com, pornmagpass[dot]com
whois media-codec[dot]com:
Registration Service Provided By: ESTDOMAINS
Contact: +1.3027224217
Website: http://www.estdomains.comDomain Name: MEDIA-CODEC.COM
Registrant:
n/a
Lemos Adamantios (lemos@securitywarnings.net)
aktis 119, vouliagmeni
athens
,n/a
GR
Tel. +030.2108960081Creation Date: 08-Apr-2006
Expiration Date: 08-Apr-2007Domain servers in listed order:
ns2.media-codec.com
ns1.media-codec.comAdministrative Contact:
n/a
Lemos Adamantios (lemos@securitywarnings.net)
aktis 119, vouliagmeni
athens
,n/a
GR
Tel. +030.2108960081
whois nvidcodec[dot]com:
Registration Service Provided By: ESTDOMAINS
Contact: +1.3027224217
Website: http://www.estdomains.comDomain Name: NVIDCODEC.COM
Registrant:
na
Zuska Karel (zuska@needupdate.com)
Trebanska 764, Revnice
Praha
,11776
CZ
Tel. +420.257720734Creation Date: 25-Apr-2006
Expiration Date: 25-Apr-2007Domain servers in listed order:
ns2.nvidcodec.com
ns1.nvidcodec.comAdministrative Contact:
na
Zuska Karel (zuska@needupdate.com)
Trebanska 764, Revnice
Praha
,11776
CZ
Tel. +420.257720734
whois pornmagpass[dot]com:
Registration Service Provided By: ESTDOMAINS
Contact: +1.3027224217
Website: http://www.estdomains.comDomain Name: PORNMAGPASS.COM
Registrant:
–
Mario Maxime (nt@chmails.com)
88 r Duhesme
Paris
null,75018
FR
Tel. +7.9219745516Creation Date: 27-Mar-2006
Expiration Date: 27-Mar-2007Domain servers in listed order:
ns2.pornmagpass.com
ns1.pornmagpass.comAdministrative Contact:
–
Mario Maxime (nt@chmails.com)
88 r Duhesme
Paris
null,75018
FR
Tel. +7.9219745516
As you can see, all domains have one owner.
Related artcles: How to remove malicious codecs.