From The D.U.C.K. Project
Super Video Converter allows you to convert or join files among AVI, MPEG-1, MPEG-2, VCD, SVCD, DVD, WMV, and ASF formats. The program supports the conversion of AVI to MPEG-1, MPEG-2, DVD, VCD, and SVCD; all media formats to DivX (MPEG-4) and AVI; and PAL-to-NTSC conversion and vice versa. You can change the codec or system type, including PAL, NTSC, DivX, Cinepak, and support for streaming media (WMV and ASF) is included. Supports H.264 / MPEG-4 AVC.
What's new in this version: Version 5.8 includes VIRUS PAYLOADS, TROJANS, MALWARE, AND SPYWARE!
DO NOT INSTALL SUPER. THE DEVELOPERS SHOULD BE BLACKLISTED. THIS IS A VERY BAD LITTLE PROGRAM. Even if they do clean their act up, they need to face consequences in the form of civil liability.
On their website they insist that their program is spyware free. Some antivirus software report back to the user that there is a trojan in this program, but it has been addressed by VideoHelp.com that this is a false positive.
IT IS NOT A FALSE POSITIVE THAT IS BEING DISCUSSED HERE.
This has been used as a subterfuge to distract from the real malware payloads delivered during installation, that are unrelated to the specific element of the installer that triggers the aforementioned false positive. This report should NOT be confused with the DR/Delphi.gen false positive.
In recent installers, (The Super Installation Program) started asking "Would you like to install this?" Totally optional, understandable that they needed funds. However, (the)last installer crossed the line. They gave no options to prevent the bloatware. In installed "iNTERNET Turbo," which had some things like wajam, Inminmit, and (2yourface).
After uninstalling, (there remained) files neatly packed and still clearly running (from) a folder. A file called "TBhelper2.exe" (was in) task manager, (pointing to) C:\Config.MSI\ This folder is completely invisible and locked.
This is a similar experience reproduced in our laboratory.
THE VIRUS PAYLOADS INSTALL WITHOUT ANY OPTION PRESENTED TO END USER.
The dialog shows a "By Clicking Accept..." message. However, there is nothing to click. The installer automatically launched and all of the malware payloads were installed without any option being accepted.
- IMinent Toolbar
- iNTERNET Turbo
Example Files found on infected system
IMinentToolbarInstallerFF.exe is-B0I40.tmp9A.exe Au_.exe 2YOURFACE_101_S.EXE-004FCBA7.pf
2YOURFACE.EXE is Trojan/Backdoor
2yourface malware Win32.2UrFace.bho has been identified. Win32.2UrFace.bho is a browser helper object that gets installed without user consent along other malware and adware. It loads with the Internet Explorer and can control its Internet traffic in background.
2yourface web site - http://6point7.com/
Other questionable spyware practices
Super installer has been using something called OpenCandy for several versions now. OpenCandy is a type of spyware.
Multiple Installers / Versions
There are multiple installers in the wild for the same release of SUPER, some containing the malware payloads and others free of them. This appears to be a tactic in order to comply with the policies of certain web sites that have agreed to distribute the freeware.
The specific version we found to be infected when tested in our lab was obtained from the Official Website. Even the official site has two different sources serving SUPERsetup.exe. The 48.6 MB file obtained from the link labeled "Download SUPER © setup file from our 2nd dedicated server" is verified to carry the malware payloads.
- Hidden, Locked folder Config.MSI - SUPER Converter, WHY?!
- DO NOT use "SUPER" video converter!
- A warning for those who might use the conversion program SUPER note: scroll to bottom and read comment by dotsonface