In the last weeks of November, we have detected almost a dozen computers on campus infected with a new piece of malicious software (doesn't fit the exact virus, worm, bot, trojan definition) that presents a significant security risk to the user if it is installed on their computer.  That in itself is nothing particularly new, but the way it gets installed on your computer is different.

There are numerous accounts of media files (typically video, but also possible with audio) being circulated with the necessary hooks to install the malicious software.  When your media player tries to "play" the file, you are told that you need to "install a codec to view/play this file", and you are prompted to install the "codec".  This is purely a scam -- when you click OK, the damage is done.

In addition to installing several adware/spyware items, this malware will change your computer's name server configuration so that any domain name lookups are redirected to their name service, enabling them to do any "phishing" attacks they so desire.  Unlike the typical phishing (identify theft) scams where you are redirected to "fake" websites with names that do not match the real destination, they simply hijack the real names.

We have blocked access to the malicious name servers from campus to thwart any fraudulent name hijacking by this particular scam, but they may simply change to a different set of name servers in the future.  If you are infected with this code on campus, your internet access may abruptly stop (your computer will not be able to resolve any names).  Antivirus *may* be able to clean out parts of the infection, but likely will not repair the name server configuration damage.  Please contact the Help Desk for assistance in removing this infection.

PLEASE beware of ANY media files that claim that you "need to add a codec" to play the file, especially if it comes from an untrusted source.

Jeff Kell
IT Security
University of Tennessee at Chattanooga