I have just discovered a new kind of fakecodecs. This time, instead of being related with codecs to watch videos, it is related to images, I have named it Adware/ImageAccesActiveXObject. 

As well as with the fakecodecs, it offers us to "enjoy" some porn images by installing an ActiveX supposedly needed to whatch them. What it really does is to register a class Imageactivexobject.Ñhl that checks the web site we are visiting, so if we are on that particular website it redirects the browser to a different one where we could see the photos.

This is part of the script where this is checked:

<script>

<!–

function activex_is_here() {try {var testObjet = new ActivexObject("imageactivexobject .Ñhl"); return true; } catch(e)  { ; } return false; }

if (activex_is_here()) { location.href = 'http://www.ximagecollection.com/'; }

–>

</script> 

 

In this case, when you click on the photos to watch them, it appears a message saying that the domain has expired. Here you have a video where we show the installation process.

See the demo in the following video (It's encoded with XviD ) or via YouTube:

As most of the fakecodecs, it checks if it is running on a virtual machine, in case it is it won’t infect the computer.

All the malware that it installs it is mainly related to promote rogue antispyware and error repair programs, but in certain cases it also shows other kind of advertisements, as on-line Casinos.

When ImageAccesActiveXObject is installed, it drops in the computer the following malware:

– Adware/SpyLocked: Spends all the time showing fake messages saying that we are infected, it also downloads and installs the rogue antispyware Application/SpyLocked. This is a new version that in previous times we have seen with different names as SpywareQuake or VirusBurst.

– Adware/Securitytoolbar: It installs a toolbar and a browser helper object (bho) that redirects the browser traffic and shows advertisement popus. It also creates some links in the desktop pointing to different web sites.