ScamWatch

ScamWatch

About The Blog

Info, updates and miscellaneous about online scams and how to avoid them

PlayVix: The cure is worse than the disease?

Common ScamsPosted by NeverShaveYourDuck Thu, September 10, 2009 19:43:36
In case you're unfortunate enough to have already installed the PlayVix player, and have thus infected your system with spyware, getting rid of it isn't so trivial.
To make matters worse, other scammers are cashing in on this scam in unexpedted ways.
There is a video on YouTube which claims to show you how to remove PlayVix. Only, surprise, it doesn't. What it does is direct you to a site which promises a "PlayVix Removal Guide".
That guide offers no help at all, although it seems to describe the PlayVix spyware scam quite accurately. It then offers you a clickable, suspiciously anonymous, link to yet another site where you can get instructions on how to remove PlayVix.
That site turns out to be the download page for Registry Easy, a tool which claims to fix your every problem, including toothache, FOR FREE!

Be aware that this software is flagged by several tools as malware. It is itself a spyware kit, and you may have to take additional steps to get rid of that.

I'll keep investigating PlayVix and if I come across removal instructions which actually work, I'll post them here.

In the meantime, my only suggestion is that you reinstall your computer from a bootable CD, after backing up your data files, off course. It's a bitter pill to swallow, but it actually helps get rid of the spyware. And, unlike Registry Easy, it will probably also speed up your system.


  • Comments(0)//scamwatch.kennethsorling.se/#post16

PlayVix: another scam video format

Common ScamsPosted by NeverShaveYourDuck Wed, September 09, 2009 00:08:49
The scammers are at it agan.

If you come across a video file which, on playback, shows you this:

Beware! It's yet another form of the old DivoCodec scam, this time with a new twist.

If you're familiar with the DivoCodec scam, you probably vaguely recognize the screenshot. It's surprising how predictable these crooks are: They choose the same color scheme for their bullshit title screens every time. Red and white text on a black background.

In case this is your first visit, here's the quick and dirty rundown: This is a trick to try to make you install infected software on your system. The PlayVix "player" they are offering is highly likely to be spyware, or to quietly load and install spyware while running. Also, the information they force you to submit before downloading the player will be sold on. At minimum, you open your e-mail address to a flood of spam.

The way these bastards usually work, you still won't get to watch the movie you expected to. If there is any content in there at all, it will probably be tranny porn or something uninteresting taped off TV. April Fools!

So don't do it. You'll be compromising your computer with no benefits.

Technicalities:

These videos come masked as AVI files, but are actually ASF/WMV files renamed. They make use of the DRM (Digital Rights Management) encryption already mentioned in another blog.

WARNING!
Since the DRM mechanism installed in Windows Media Player offers to contact the content publisher (read: criminals) and purchase a "licence" for the content at the publisher's site, this is another way for the scammers to get you. The DRM mechanism is vulnerable to hack attacks, and your computer may become silently hi-jacked in the process. So don't do that either. Read my previous post on the DRM scan to find out why it's dangerous.

My advice is to try another torrent for the content you wanted to see. And, please, stop seeding any video file which behaves this way. Don't help snare other unsuspecting victims.

Can this format be cracked?

I'm not yet sure, but my hopes aren't high. The main content, if there is any, may make use of the DRM encryption system, which is notoriously hard to crack, if it can be done at all. So, unlike the previous formats, I probably can't extend my UnZixWin app to extract the hidden content. But I'll keep snooping and pondering the problem. Any feedback with any details is welcome here.




  • Comments(0)//scamwatch.kennethsorling.se/#post15

The DivoCodec scam exposed

Common ScamsPosted by NeverShaveYourDuck Sat, October 27, 2007 13:44:40
You've got to hand it to me. For two weeks I've had an article about the Divocodec scam on my web site, and absolutely no links or nothing pointing to it; in fact I forgot even to tell anybody about it. How's that for efficient information flow?

In case you encounter an AVI file which shows you a screen telling you do download the DivoCodec, first read this. It may save you some grief.

Off course, anyone who is familiear with the 3wPlayer scam would instantly recognize this as 'more of the same'.

UnZixWin can decode DivoCodec files as well. Note, however, that it may take two passes.



  • Comments(5)//scamwatch.kennethsorling.se/#post11

New WinZix version in the wild

Common ScamsPosted by NeverShaveYourDuck Fri, October 12, 2007 23:51:28
I have encountered yet another spawn of the spyware-ridden WinZix installer.

The worrisome part is, my antivirus package (AVG from Grisoft) doesn't find anything harmful inside (although you can bet the farm it's most decidedly harmful), even with a day-fresh virus DB update.

I think this is because the installer is a NET 2.0 binary, and uses a different kind of executable code (called MSIL, for MicroSoft Intermediary Language), which is different from standard machine code.

The details are as follows:

File Name: WinZix.EXE
File Size: 1098 406 bytes
MD5 Checksum: c70d34eb6a9e93a0cecfcb7888aece81

It was encountered in a torrent on TPB: House.SE0402.HDTV.XviD-Caph


Poking around inside with a hex editor, I discovered that the installer required administrative privileges to run, which is bad news. If it manages to run as a computer administrator, it can do plenty of nasty stuff to the computer without you ever knowing about it.

People who have found this blog are naturally smart enough not to ever run anything named WinZix. Then again, new users are coming to the peer-to-peer arena every day, and many of those arent' familiar with this spyware.


I haven't done any further investigation yet; I must have a sandboxed computer which I can sacrifice in order to execute the installation and see what nastiness happens.


Thanks to alert user Mike for pointing me onto this one.

  • Comments(3)//scamwatch.kennethsorling.se/#post10

The DIVO Codec Scam

Common ScamsPosted by NeverShaveYourDuck Thu, October 11, 2007 04:04:44
Fellow scambuster Jim Dunn has alerted me to a new trend of AVI scammers.

If you get an AVI file which shows you this message:

Blog Image

This is, off course, just another variation of the 3wPlayer scam. The same people responsible for 3wPlayer scam has added another trick to their bag. They're double-encoding 3wPlayer files and calling them DivoCodec.

In other words, the scammers are too lazy to invent a new scam format. They're just using their old tools twice on the same file, this time appending a new image to the AVI.

WARNING:

In case you are new to all this: do not under any circumstances download the 'codec'. In fact, don't even go to that website mentioned. The codec contains malicious spyware for sure, and the website might record your IP address and target you for hacking.

Bittorrent users with a bit of experience know this, off course. They've seen the 3wPlayer scam before, and the Vodei scam before that.

Solution:

Jim discovered if that if you run this AVI file thorugh UnZixWin 0.0.9, you get a standard 3wPlayer encoded file. Running that through UnZixWin 0.0.9 will get you the original, unencoded file. Off course, that may not be the one you were promised (april fools!), but any old AVI which seemed large enough to be plausible.


In short, use UnZixWin twice and see what you get.

Thanks, Jim!

  • Comments(0)//scamwatch.kennethsorling.se/#post8

The DRM Scam is dangerous

Common ScamsPosted by NeverShaveYourDuck Mon, September 17, 2007 16:18:42

First of all, apologies for churning out these blog entries at such a snail pace. I had intended to write up the DRM scam sooner, but considered it a fringe thing. Good thing I was slow on the draw with this one, though, because it has proven to be more serious than I thought, and I would have exacerbated the problem by downplaying the risk.

Embarrassingly, I seem to be the last one to get the message. This has been known to many for years. But hey, if it was news to me, it might be for you as well. So here's more on it:

The DRM Scam defined:

Internet users frequently encounter a WMV (Windows Media Video) or WMA (Windows Media Audio) file which they've downloaded perhaps by way of BitTorrent.

Upon trying to play this file, they encounter a message from Windows Media Player stating that a minor security upgrade is required. This has to do with Digital Rights Management, and is a clear signal to the savvy that "You're about to be charged for viewing this". Myself, being a cheapskate, I bail out at this point.

What is supposed to happen otherwise is, that once the security upgrade is taken care of, you'll be whisked away to some web site where you can purchase a "token" or a "licencse" to view the protected content. In other words, bring out your VISA card, or your wallet, or your PayPal, or whatever you use to pay for stuff online. After that, you're supposed to be able to view the file, but only on that computer, and usually only for a limited amount of time. Your purchased right to view the content does not travel with the file; nor does it persist forever.

I discarded this as a 'Pseudo-scam', designed merely to make a quick buck out of inexperienced users. A P.T. Barnum quote is called for here, but I won't digress.

However, it must be categorized as a scam, because the origninators of the DRM-protected file don't actually own the material proffered, but have pirated it from somebody who does. In other words, you'll be paying your hard-earned cash to the wrong people. If you're gonna have to fork over your dough, do it to the ones who are legally entitled. Not to some scam artist.

The DRM Threat

What I failed to realize, and to know, was that this scam isn't just about making a quick buck, but is actually another vehicle for infesting your computer with spyware.

Others have already done a great job of describing the threat for me, so I refer you to this immensely useful article: WMP Adware: A Case Study In Deception

Read the whole thing, and note the presence of numerous links pointing to other articles dealing with this threat. Depending on your configuration of Windows platform and version of Media Player, you could be susceptible to vulnerabilites. Following the links, you also become aware of Microsoft's stubborn refusal to deal with a security hole they alone are responsible for creating.

I would therefore make the following suggestions:

Use an alternative media player, such as VLC or Media Player Classic. These players don't honor the embedded DRM links, but simply try to play the encrypted content (VLC) or report "Could Not Render The File" (MPC). Make sure you asosciate the WMA and WMV extensions (hell, asosciate all of them, for all I care) with one of these players, so that you don't inadvertently launch Media Player by double-clicking on a downloaded file.

Never, ever, under any circumstances, accept the premise to pay for stuff you've downloaded for free. Never respond yes to any dialog which prompts you to install anything in response to trying to play a media file, whatever it be. Not only are you being taken, your computer might be as well.

  • Comments(0)//scamwatch.kennethsorling.se/#post6

WikiPedia Article on WinZix deleted

Common ScamsPosted by NeverShaveYourDuck Mon, September 10, 2007 15:35:03

Prior to last week, users encountering ZIX archives have been able to find information on WinZix in Wikipedia. This was an invaluable source of information, and it included warnings about the spyware in WinZix and links to damage reports as well as remedies for those affected. I was able to contribute in a small way with corrections about the nature of the file format and in particular the specifics of the metadata block inside.

However, this article is now history. A certain user, whose motives struck me as fishy, considered the article "not noteworthy", and submitted it for deletion.

In the heated discussion that ensued about the validity of the article, the user who considered it "not noteworthy" proved himself impervious to any arguments to the contrary. Said arguments included the very real threat that spyyware-infested trojan apps like WinZix poses to the internet community. All fell to deaf, and apparently very dumb ears.

Consequently, as of this weekend the WikiPedia article on WinZix is now history, as is the discussion leading up to its deletion. I would point you to it (and I did, in my article on the Zix format, supplied with my UnZixWin utility), but it's gone the way of the dodo. The stub telling about its demise is here.

This is a loss to all those who will now not benefit from the knowledge amassed about WinZix and how to deal with the problems it causes. True, there are plenty of other places on the net which a Google search will turn up that warns about the problems.

However, I think it's a sad state of affairs that the great Wikipedia can be subjected to badly motivated censorship by anyone with an axe to grind. The free-for-all nature of the site's approach to editing and quality control isn't always optimal. In particular in this case I found the reasons for deleting the article fishy indeed, and highly question the motives for doing so. Can it be that said user have personal stakes in the success and proliferation of WinZix?

Oh, well. Where Wikipedia fails, sites such as this one must pick up the torch. I don't intend to stop warning people about these spyware-riddled scams anytime soon. Indeed, I must pick up the pace on getting my full website online. This blog is a useful tool, but not quite how I want to organize things.

  • Comments(3)//scamwatch.kennethsorling.se/#post5