as debunked by Kenneth Sörling (neverhshaveyourduck@gmail.com
)
October 2007
| Table of Contents: |
|---|
| Introduction |
| Do not install the DivoCodec! |
| What is a DivoCodec AVI? |
| How do I decode a DivoCodec AVI? |
| In case you installed the DivoCodec: How to clean out the spyware |
You might encounter an AVI movie, perhaps downloaded through a BitTorrent client such as uTorrent or BitComet, which when you play it shows you something like this:
This is a scam, trying to lure you into downloading and installing a piece of software which is infested with spyware. In fact, it is a new variation of the 3wPlayer scam. The scam artists behind the 3wPlayer scam, when realizing the scam had been exposed, quickly devised a new one. Without the energy or the intelligence to invent a new format, they simply reused and renamed the 3wPlayer file format.
While it may be true that the downloaded "codec" will enable you to play the file, you won't be any happer, because (april fools!) the file will with almost 100 percent certainty not be the movie you wanted to see. Only once, in about a dozen cases of scam AVIs, have I encountered a file which contained the movie originally promised. The individual who produced this file had no interest in you getting what you want, only in himself getting what he wants, namely access to your computer in everything in it.
As a reward for infesting your computer with spyware and, in effect, giving over control of your system to some anonymous crook on the internet, you might be rewarded with an episode of a completely different TV Show than the one you were aiming for, or a cheap porno movie, or whatever the bastard who perpetrated this scam had lying around.
Essentially, it is two or sometimes three movies baked together in the same file, back to back, with only the first one playable by any standard player. The real, original movie is thus hidden, with a bit of cheap encryption applied. You may skip this section if you aren't interested in the details.
The outermost file is a standard AVI (the short clip you are watching), encoded with a commonly available codec such as DivX, XviD, or MJPEG. It is meant to be playable through Media Player, so you will be able to see the message in the screenshot above.
At the end of the movie data for this message is a bit of useless junk, and then, in encrypted form, is the "real" movie, as detailed in my article on the 3wPlayer scam.
As a matter of fact, this is exactly the same scam, only the perpetrators are advertising a different piece of software in the visible clip. The format is exactly as detailed in my article on the 3wPlayer format.
However, we have observed that sometimes, the DivoCodec AVIs pull a slightly different trick. The hidden file might itself be an encrypted file.
That movie is encrypted using exactly the same method as detailed. Inside that, in (again) encrypted form, is the original movie clip, which may be pretty much any AVI clip which has big enough a file size to be plausible for what you were wanting to see. Typically, 350 megabytes (for a TV series episode) or 700 megabytes (for a movie).
More details on how the AVI file is composed can be found in CodeMonkey's entry on the MiniNova forum. It's a good place to start for programmers who want to roll their own decoder. Just remember that the Divo scam bakes one of these files into another, so you have to modify the PERL scripts a bit to deal with the double-encoding.
There are two suggested method of extracting the original (innermost) file. One is using a utility written by me, the other is a utility written (after a fashion) by Wildman Productions. If you already have my utility (which is also useful for dealing with ZIX archives), you might want to try the first method first.
You can download another utility from the web, the 3wPlayer AVI Decoder, from Wildman Productions, which has been reported to extract the innermost file out of the DivoCodec file. I have personally tested this, and it has been proven to work in at least two cases.
Beware, though: it requires the Microsoft NET framework 2.0 or later, to be installed, so you might have to download and install that as well. It's a pretty hefty download, but if you are running Windows Vista, it might be installed as standard. If the program complains about a missing DLL called "MSCOREE.DLL" or something along those lines, it means you have to download the .NET framework.
A small gripe: the messages displayed by the application reveals that it is simply a rebake of a PERL script originally developed by CodeMonkey, an anonymous entity active in the MiniNova forum. In other words, they (Wildman) cribbed someone else's code and republished it as a Windows .NET 2.0 executable. Good thing they don't charge for it, or that would annoy me.
Kudos to the WildMan folks for writing this, and for giving it away. Not so much for giving credit where it's due. They should have accredited CodeMonkey with coming up with the original script.
Simply uninstalling 3wPlayer won't help. The spyware will remain on the system, active and hidden.
Symantec (developers of Norton Internet Security) has detailed the steps for removing the 3wPlayer spyware, which is essentially the same crap as this. Details can be found at http://www.symantec.com/en/uk/norton/security_response/writeup.jsp?docid=2007-071111-1607-99&tabid=3
The spyware mafia never seems to give up. Every time we expose one of their frauds, they come up with another angle. In the case of the kind of scam I'm devoted to fighting, it is bogus file formats creating an artificial need for the trojan horse spyware they seem intent on getting onto your computer.
The Vodei Multimedia Processor, WinZix, 3wPlayer and now DivoPlayer are all in this family of scams. In fact, they are to be regarded as generations of the same basic trick. The bastards behind them first invent a bogus format, then spread copies of this format on the peer-sharing networks in order to lure people into their web. They have considerable financial gain in infesting your computer, so as long as there is money in it, they will keep churning out these bogus formats.
The only way to combat them is to keep exposing them. And, as a member of the peer-sharing community, to remain vigilant of every "new-and-better" format which crops up.