Every page of the site (tv-world-online .net) was linking to fake codec malware in very deceptive ways. The domain hosting the malware changed at least once or twice per day, and the malware hosted on these servers was modified to have a different MD5 checksum about as often. In each case the file name was "install_ActiveX.45171.exe". I collected as many samples as possible, submitting each variant to major antivirus companies that were not yet detecting it, and rating each page on Web of Trust to help protect other WOT users (WOT is a browser add-on for major browsers that helps protect users from potentially harmful sites, and it uses a community rating system that is usually very reliable).
Variants of this fake codec malware are known by many different names. The last sample I obtained is detected under the following names (currently 35/42 detection rate according to VirusTotal):
FakeAV.GPF, Generic.dx!vgs, Heuristic.BehavesLike.Win32.Downloader.H, Mal/EncPk-NS, MalCrypt.Indus!, Malware-Cryptor.Limpopo, Packed.Katusha.ase, Packed.Win32.Katusha, Packed.Win32.Katusha.o, Packed/Win32.Katusha.gen, Suspicious file, TR/Shakat.O.333, Trojan.Agent/Gen-Fraudera, Trojan.DL.Renos!al/DlyrO68M, Trojan.DownLoad2.19095, Trojan.FakeAV, Trojan.FakeAV!gen29, Trojan.Generic.KD.90926, Trojan.Katusha.o, Trojan.Win32.Generic.52530514, Trojan/W32.Agent.212992.JV, TrojanDownloader:Win32/Renos.MJ, VirTool.Win32.Obfuscator.hg!b1 (v), Virus, W32/Codecpack.700D!tr, W32/Obfuscated.M, W32/Renos.A!Generic, Win-Trojan/Agent.212992.VL, Win32:MalOb-EA, Win32/Renos.D!generic, Win32/TrojanDownloader.FakeAlert.BBTHere are WOT reports for several affiliated domains:
On a different subject, I want to let my readers know that I recently updated a couple pages on this site: the Bindaas spam site listing and the page on how to manually preview shortened URLs.
For more from the JoshMeister on Security, please subscribe to the RSS feed or follow me on Twitter.