A week or so ago, I DLed a little supposedly cracker search tool called "Piratos." I scanned it; I have Sygate, so it couldn't get out, so I thought "I can always uninstall." Well, when I tried to use it, it tried to dial Germany. I forgot about it for while and then removed it, using Add/Remove. I've always used Cleansweep - had it even way back before Norton bought it - but, for some reason, I used the Win app. The icon and the program seemed to disappear. While searching today, using Cleansweep, for another program that needed uninstalling, I saw the "Piratos" name again. So, I started to remove it using Cleansweep. When it started removing stuff, I saw suddenly that the amount to be removed was about 50 gigs, and I saw "My Shared Folder" start flashing by. I backed out in a hurry and selected "confirm each item." I then tunneled down to find that Piratos had hooked itself to my Shared folder and "Remove all files," and then "Remove folder after empty" had been automatically selected. I know many of you have found yourself trapped in never-ending popups, but this looks like an act of pure vengeance. After I de-selected the Shared Folder dlls, only 4,096KB was left of the program which was supposed to already have been removed. Any other experience out there with these folk?

YES!! beware the piratos!!!! :ph34r:
And when it dials germany it is LONG DISTANCE, so don't let it, get rid of this bull-shit cracker people!!! B)

Well, it did piss me off when it complained in German that no dial tone was available, but to hide a couple of DLLs and try to wipe out my entire Shared Folder goes beyond sticking me with an overseas call.

Thanks for the warning about this download. I read somewhere that the dialer phones a premium rate telephone number costing 1.50GBP a minute. Surely this practise is illegal, so can these people not be prosecuted?

Originally posted by sjohnston@23 April 2003 - 22:29
Thanks for the warning about this download. I read somewhere that the dialer phones a premium rate telephone number costing 1.50GBP a minute. Surely this practise is illegal, so can these people not be prosecuted?
Programs like this are scams, and the phone company has let some users off the hook. Generally speaking, you are responsible for the charges. If you had a roommate, and he made long distance calls from your telephone, you would be responsible for those calls in a similar manner. ;)

I guess the problem is nabbing them and holding them accountable. I guess if it were easy, maybe the same could happen to us. :huh: So, it could be a two-edged sword. I haven't had time to go back and research it, but this appears to border on virus-like activity. By that I mean hooking itself to data files and trying to take them with it, particularly when it appeared to be already history itself.

Jibbler, you're correct about the phone, but that's not really what pissed me off. The goddam thing tried to take out MY SHARED FOLDER!!! Fifty GIGs!!! All my stuff!!!

Originally posted by TIDE-HSV@23 April 2003 - 22:40
Jibbler, you're correct about the phone, but that's not really what pissed me off. The goddam thing tried to take out MY SHARED FOLDER!!! Fifty GIGs!!! All my stuff!!!
Tide-keep us up to speed, yes? This is VERY curious-not the dastardly aspect as much as the methodology....... :(

Cleansweep actually plays back what it's deleting in a continuous right to left line - in high speed. When I looked up and saw "E:\My Shared Folder" passing by, you can bet I groped for that "cancel" button as fast as I could.

Spybot takes out dialers like this. I would check just to be certain. GL

I have SpyBot and Syquest both, and that's the reason I didn't worry after I removed it with Control Panel. I wouldn't have know that it had this DLL still hanging around, except that I was searching for another program with Cleansweep, and, in the process, I saw Piratos again (just the DLL, although I didn't realize it at the time). When I tried to delete that, it started to try to erase MSF. Otherwise, it hadn't attempted to dial out or other mischief. My RJ11 phone cable stays unplugged all the time, anyway, unless cable goes out.

So you're saying you scanned with S&D. And it didn't pick it up?

I would figure it would not, as only the dll linking his MSF was left, not the dialer.
What a bunch of freaks, attempting to profit from illegal forced phone calls while at the same time trying to sabotage a part of p2p programs, is this not contradictory in a sense. Well I never use the default MSF anyway. Again, there is no honor amongst Thieves.

You've got a point there, Reality. MSF is on physical "E" drive in my machine, but the thing was probably only smart enough to look for MSF. OTOH, I never suspected that I would have to hide MSF under another name. The only reason Cleansweep picked it up was that the DLL was still named "Piratos" - causing me to try to delete it manually. There was no legitimate reason I can think of for it to be tied to MSF.

These things *really* piss me off.

Be very vigilant on Kazaa as it is infested with this stuff. To the point where I now use another p2p program for largescale downloading and KL for the odd quick file.

Always use
1) A good firewall (eg Nortons)
2) Adaware scan regularly.

I know I'm repeating myself, but I use SpyBot, AdAware, Sygate Pro and NAV (also PeerGuardian). None of them helped. This program didn't come through Kazaa. They (Piratos) have it on their web page, which is where I got it. My assumption was that, since I do have as much protection in place, I would know if it tried to "phone home." Of course, it did - literally. The sneaky thing though is to leave behind a hidden DLL, after running XP's Add/Remove. If I had tried Cleansweep the first time around, I would have discovered it trying to delete MSF more quickly. This attack was virus-like, and I don't think it's accidental at all. Unfortunately, since I DLed it and it was doing exactly what I wanted - delete files, just more than I intended - it just flew under the radar of all the protection I was wearing.

Originally posted by sjohnston@23 April 2003 - 23:29
Thanks for the warning about this download.  I read somewhere that the dialer phones a premium rate telephone number costing 1.50GBP a minute.  Surely this practise is illegal, so can these people not be prosecuted?
I got a forwarded e-mail about two weeks ago warning about programs that link the unsuspecting user to a phone number using an 809 area code (Dominican Republic) its a 'pay per call' number that could cost you $1200 US!

These scams are largely unregulated and thats why they are allowed to exist.
These charges have been sucessfully fought..but its a real hassle. According to a phone company spokesperson this is legal because "pay per call" numbers can charge what they want.. if you dial it, your responsible for the charges on your phone bill. :angry:

In the case of TIDE-HSV, I have no doubt whatsoever that this was an intentionally and maliciously coded program that was designed to sneak in "just under the wire" so that most AV's and other types of scans wouldnt detect it.. that really sux. :angry:

I guess the question still "hangs in the air" as to why they would do it. Just pissed because I deleted their program? There are probably a number of p2p people reading this thread whom they have lost forever as prospects. I just don't understand it. But I ran (and cancelled midway) the Cleansweep program, just to make sure I was seeing it correctly.

Originally posted by TIDE-HSV@24 April 2003 - 11:28
I guess the question still "hangs in the air" as to why they would do it.  Just pissed because I deleted their program?  There are probably a number of p2p people reading this thread whom they have lost forever as prospects.  I just don't understand it.  But I ran (and cancelled midway) the Cleansweep program, just to make sure I was seeing it correctly.
Why would anyone want to plant viri ? Do they get some kind of sick thrill out of doing this? This seems to be intentionally aimed at P2P programs.. whoever wrote that code in the program, very obvously knew what they were doing.. this just doesnt get there, it was put there deliberately by someone that has "alot of computer saavy"..not "Joe Blow" And as you pointed out, there would be no seemingly valid reason for this program to attach itself to the MSF and not only delete its contents..but the folder itself.

Thank God you caught it .. 50Gb.. my god, that would of been a real tragedy. I would really hate to even hazard a guess as to how many people that have used that program had their entire shares wiped out and probably dont even have a clue what caused it.

Indeed, this was a very carefully thought out scheme.. not accidental.

Glad you caught that mate, and thanx for bringing it to everyone's attention :)

One thing to remember, and I'm going to repeat it: nothing bad happened when I just removed the program itself. The shit hit the fan only when I tried to remove the DLL left behind after uninstalling. I still have that DLL in the recycle bin of Cleansweep. I'm going to go back and look at it. Maybe some of our programmers can tell if it had any other "payload."

I had similar problems with dialers, though I am not sure what would detect this, Needles to to say I ended up formatting my hard drive at one time due to much crap. Fortunatally I have cable now and no phone cord and examine anything I dl.

Though imagine how many people have paid these statements. I had a simililar problem on my cell phone. I got paged to a 10 digit number, though I figured I had nationwide I could not get charged but it was in the Dominican Republic as well and ran up $27 in the 3 or 4 minutes that I was on. If your wondering (which you are), it was a chat line with some Jamacians talking about whatever. I kept asking who I was calling to have some guy tell me tell me this. I called my cell company that day to have the account noted as I was expecting some nice charges, since I used to work in communications. Then when the statement arrived I called and reffered to the notes and the charges were removed.

I'm well aware of the phone scam - having your call routed through Russia or Romania, etc. In past years, I've even stopped a couple that got sneaked in on me before I realized they were trying to dial out. I still have a phone modem, which I use on the occasions cable is out (rare). I have backup dialup at my office, accessable at home. When I don't need it, the RJ11 stays unplugged - period, although this is more for extra lightning protection (I've got the UPS, but I believe in "belt and suspenders") than for stymeing rogue dialers. What differs this is planting a rogue DLL to wipe out your MSF if you try to eradicate their DLL. Maybe it was just bad coding - but I doubt it.

i've had loads of dialup's come up on me luckily i don't have a modem took it out for 1 of those reason. ahh broadband!! Fast and Effective

I left the modem in. It's just unplugged.

Why don't you tell us where you got the thing tide. So we can avoid the whole thing altogether.

Glad you asked that question. It came off a link from a list of cracker sites that someone posted here a couple of weeks ago. After you posted, I went and tried to look up "www.piratos.com." The page looked legit, at first, like a software company. However, all the links are to other companies - none of their own. It's just a collection of links. It keeps urging you to bookmark the page, and, when you try to leave, it makes repeated attempts to persuade you to set "www.munky.com," which appears to be a search engine. It's a German page and "Pirat" in German is the same as "Pirate" in English, so I guess they're trying to send a message.