malware creators have began to develop fake codecs in order to take advantage of the rising popularity of streaming video and video clips on the internet. One of the most common malware infections on the net right now is spreading through a number of fake codecs.The infection installed by these fake codecs are detected by StopSign as Popuper and trojan.Popuper, however, there are a number of other aliases for this infection such as Zlob, W32/Zlob, Trojan.Media-Codec, Trojan.Emcodec, and Trojan.Zlob as well as many others. The damage caused by these fake codecs ranges from browser hijacking to installing other malware and even in some cases, using rootkit capabilities making them almost impossible to fully detect and remove.

One of the more common ways of getting one of these false codecs is by way of a video prompting a codec installation before you can watch it. Some examples of other false programs out there are password managers or public messengers filtering through sites like MySpace, and even emails and instant messages. The send the user to a site that will prompt them to install the new codec before before the page can be properly viewed. Once this new program or codec is installed, popups can start appearing, or pages are redirected and personal information is compromised.

Codecs are often used in videoconferencing and streaming media solutions. Some common QuickTime video codecs include Sorenson Video and Cinepak. Even though QuickTime supports a number or codecs, only a small portion of them are suitable for streaming video. Since video clips have become wildly popular , it is no surprise that malware creators jumped on this new craze in order to spread their malicious programs throughout the net.

Due to the popularity of viewing videos on the internet, these new malware programs have been able to infect users by taking advantage of the necessity of codecs. In terms of software, a codec, or "Compressor-Decompressor," is a program that translates video or audio files between compressed and uncompressed forms. Cocecs can both put a stream or signal into an encoded form (usually for transmission, storage or encryption) as well as retrieve, or decode that form to be viewed or manipulated in a more friendly format. Files that are encoded with a specific codec will require that same codec to be decoded. Knowing this, malware programmers have created a number of ways to get users to install their malicious codecs. On common way is to prompt users to install a new codec in order to watch a video, while actually delivering a malicious, fake codec.

Some of the most common names for these false codecs include:

• Braincodec
• Dvd Codec
• EliteCodec
• GoldCodec
• HQCodec
• iCodecPack
• JpegEncoder
• KeyCodec
• LightCodec
• MediaCodec
• MovieCodec
• nvidcodec
• Pcodec
• PerfectCodec
• PlayerCodec
• QualityCodec
• SilverCodec
• SoftCodec
• StrCodec
• SuperCodec
• TrueCodec
• TVCodec
• VidCodec
• VideoCodecs
• VideosCodec
• VideoCompression Codec
• WinMediaCodec
• WMCodec
• Zcodec
• zipcodec

This list continues to grow and change on an almost weekly basis. These fake codecs have even been known to use rootkit technology to hide its files and protect itself from detection and deletion. Some of the common files associated with the worst of the codecs are:

• isaddon.dll
• iesplugin.dll
• isamini.exe
• isamonitor.exe
• pmmon.exe
• pmsngr.exe
• iesuninst.exe
• pmuninst.exe
• isauninst.exe

Once you install one of these malicious codecs or programs, it installs itself into your registry and starts its mayhem. Some of these codecs will just install a very basic search redirector and/or homepage Hijacker. Most of this is due to your browser settings being changed or the newly added DNS Server settings, which will force your computer to communicate with a remote server before carrying out an action, transferring data to the remote server and allowing the server to redirect you to whatever page it wants you to view.

Some of these codecs will install a number of third party programs, such as adware and rogue protection programs. Once installed, users will start to get a multitude of popups and a little blinking icon on their system tray that tells them they are infected. When clicked, the icon will send a user to the most current rogue protection that it is trying to make money off of. If a user does happen to purchase the rogue protection software, their credit card information is then compromised. The current rogue protection software being promoted by these fake codecs is SpyDawn, but in the past we have seen programs such as SpySheriff, VirusBurst 6.1, Internet Explorer Security Plugin 2006, Internet Security AddOn, Public Messenger Ver2.03, Security Alerter 2006, virus-Burst, VirusBurster 6.2, VirusBurster(s) 6.2, VirusBursters 6.2.

The malware developers have even expanded their realm of malicious codecs and created a number of other malicious programs targeting the social web page realm. Sites like MySpace have been one of the target pages. Malware developers will create a user profile and then try to spread there mayhem by promoting some new program that tracks who visits your site after you install the program. There are, however, a few legitimate tracking tools on the web. These use html coding and don't need a user to install anything onto there computer to work. One of the fairly recent non codec forms of this popuper infection has targeted the pornographic realm, these programs have been found with the following names: PornPassManager, MyPornMagPass, XPassword Generator, PornMagPass.

Take precaution when you are surfing the net, malware is all over the place. Be wary of sites and links that prompt you to install codecs in order to continue viewing the media. Verify it's publisher and make sure you read the End Users License Agreement as well as the Terms of Service so that you know what you are getting into. It is a good idea to research any program before you install it, see what other people know about the program and if it is legitimate or not.

If you feel you are infected with one of these fake codecs or programs, you will want to run a scan with an updated antivirus and antispyware program such as the StopSign Threat Scanner. Most of these fake codecs can be removed, but due to the rapid rate in which they are updating, it may take a few days for the computer protection industry to catch up with the new malware releases. One of the benefits of the StopSign Computer Protection Service is that you get technical support with a paid membership, so if you have the most recent malware that the StopSign software isn't removing, you can work with a support technician to help clean your computer. You can even help us by providing samples of these kind of infections to help our anti virus team keep up with the ever changing malware world.