PDA

View Full Version : Sharing Windows\system32 Folder?!?



marlin
02-13-2003, 02:48 PM
When reviewing my shared folders i found that i was sharing my windows\system32 folder with Kpp 2.0.2 . Certainly something i would not do myself. Is this built in the installation (i assume not) or is there some other program causing this? Needless to say i closed the share. It did not reappear when i restarted Kpp (so it does not happen on startup).

I have some questions:
- What is causing this?
- Who has the same problem?
- Which file contains my shared folders settings?
- Is it possible to protect this file better?

Generally i am very happy with Kpp (or Kazaa Lite for that matter), but this is worries me. Please let me know.

"The Avatar Man"
02-13-2003, 03:21 PM
does anyone else use your computer.
perhaps they did it by accident

Nobody1234
02-13-2003, 03:28 PM
Look into: Tool> Find Media to Share>Folder List. Uncheck any folders you don't want to share.

K++ 2.0.3 is also available. The menu is changed slightly to Options>Find Media to Share>...

marlin
02-14-2003, 02:53 AM
actually, it is a virus, or rather worm (McAffee just found it as W32/steph.worm, there is no description yet in their database) that uses kazaa to spread. It puts a number of infected files in the folder \windows\system32\setup32 and opens it as a share for download through Kpp (and probably other types of Kazaa as well). Some of the filenames are:

Unreal 2003 cd Crack 4 Ver 2166.exe
Unreal Tournament 2003 internet Keygenerator-NEW.exe
Unreal 2003.exe
Winamp 4 Beta.exe
Windows Longhorn Alpha Security Patch.exe
WinDVD Platinum all languages.exe
Zone Alarm Security Patch - 2003.exe

and more .... like winXP keygen ....

all are 369 KB

accompanied by readthisworld.txt, which contains the words:

"Steph.With nice brown eyes .. 4 ever"

If you download and execute any of these files the virus will activate. I have no idea what the worm does except what i described before. My system runs winXP pro and seems to function normally. This is not a hoax. I will make this a seperate post as well.

krome
02-14-2003, 03:02 AM
All i can say from reading this, Is you are infected by a virus that shares its own files to kazaa so other users can get infected, Its like a Virus Chain...

What i would do is scan using Norton or Mcafee try to delete as many infected files as u can....


Better yet. Go here HouseCall AntiVirus (http://www.housecall.antivirus.com) Click on the link to scan your files for free and try to remove it from there if found....


Ok if that doesn't work by removing it, Hate to say this but you might have to reformat unless u can't remove OK?

Hope this helps dude

peace..

marlin
02-14-2003, 12:16 PM
thnx, i am working on it. i am trying to warn other users. maybe i should post this with kazaa itself, so they can build in to prevent access to the sharing system. storing it as some kind of binary should already make tricks like this more difficult ...

boogie_knights
02-16-2003, 03:16 PM
Yeah I bet it had you thinking for a moment or two didnt it, WTF system32? LOL but the sad thing is there are actually people out there who share their system files for some strange reason, I dont know if its just to make them look good on the stats or something. Just goes to show, there are indeed a few numbties out there.

BK

marlin
02-17-2003, 02:14 AM
well, i have no problem with numbties, more with people force-sharing there bullshitware with us (in this case a worm), you think those people are trying to prove something? Cant be that they are great programmers. slightly too simple for that. Cant be that they are worthwhile to know better ... Cant be that they are geniusses of invention. Maybe they want to be feared, but anonymously, cause if you look too long in the abyss .. You think that they are more popular with their friends, when they brag about it?

nobody is a saint and we all are breaking some laws here (copyright), but there is a big differnce between downloading some films you would wait for to come on tv otherwise (most of them anyway) and being willfuly and undiscriminately destructive to other peoples property and with no gain whatsoever ....

guess you all get my drift by now, sorry, it's sunday :rolleyes: , keep sharing and have a nice week, go to the cinema or something ;)

Supernatural
02-17-2003, 12:24 PM
Originally posted by marlin@16 February 2003 - 21:14
well, i have no problem with numbties, more with people force-sharing there bullshitware with us (in this case a worm), you think those people are trying to prove something? Cant be that they are great programmers. slightly too simple for that. Cant be that they are worthwhile to know better ... Cant be that they are geniusses of invention. Maybe they want to be feared, but anonymously, cause if you look too long in the abyss .. You think that they are more popular with their friends, when they brag about it?

nobody is a saint and we all are breaking some laws here (copyright), but there is a big differnce between downloading some films you would wait for to come on tv otherwise (most of them anyway) and being willfuly and undiscriminately destructive to other peoples property and with no gain whatsoever ....

guess you all get my drift by now, sorry, it's sunday :rolleyes: , keep sharing and have a nice week, go to the cinema or something ;)
Amen brother. :)

marty
02-17-2003, 02:51 PM
I've experienced this problem......it is some sort of virus.

I noticed i was sharing about 100 files more than usual, so i looked in my Kazaa Lite sharing options and found i was sharing my windows directory....something i would NEVER do!

I turned off kazaa sharing the windows folder, but it came back on again.....did a scan with norton and it found nothing.

I did the online scan with trend micro, as Krome pointed out:
http://www.housecall.antivirus.com/

I noticed while it was scanning there were a load of .EXE files, all quite small in size, that i weren't aware of.
These were in a folder in the windows directory called USER32.
When i looked in the folder it was empty ,so i turned on the option to view hiidden files in folder options and there were 90 files.....i deleted them and they reappeared before my eyes!

I then deleted the USER32 folder and that reappeared when i rebooted.
I had a look at what processes i had running and one which stood out to me was CMD32.EXE.
I had a look and found CMD32.EXE in my windows folder as a hidden file....i then done a bit of research and found out this file isn't a windows file and neither is the USER32 folder.

I deleted the CMD32.EXE and USER32 folder and rebooted, and got an error message saying CMD32.EXE cannot be found, but other than that, the PC booted up OK, and the dodgy files had gone, and Kazza was back to normal.

So it seems this is a virus which runs at start up, and tells kazaa to share all these crappy files that it keeps on regenerating.

Something is looking for CMD32.EXE on boot up though......havn't found what or where.....probably in the registry.........I used the repair option to repair my copy of windows XP and this sorted it.
If i get any problems i'll do a reformat ,but everythings fine at the moment.

Here's an image of some of those regenerating files:

http://www.emkay.pwp.blueyonder.co.uk/kazaa.jpg


Here's the CMD32.EXE file in my windows directory:


http://www.emkay.pwp.blueyonder.co.uk/cmmd.jpg

I remember a year ago or so there was a similar thing.....something called SCREENSAVE.EXE, or something similar, which resided in the windows directory and done the same thing.

To those who have the same problem with kazaa sharing windows files that you havn't opted to share....have a good look in you windows directory for the CMD32.EXE , and USER32 folder.

Like i said , i'm not sure why i got the error message after rebooting when the files were deleted...i looked in msconfig and couldn't find any reference to it.

Marty.

Zardoz
02-17-2003, 04:02 PM
Thanks for the warning guys I'll be keeping an eye on my shared total

and marty I think it's got something to do with the windows system files in c: trying to activate the file as part of the boot up
I sugest you post a topic in questions and someone will help find the source of the error

kazzalitesucks
02-17-2003, 04:55 PM
read these 3 links intresting

1Virus Win32/Hantaner (http://www.softwaretipsandtricks.com/forum/showthread.php?threadid=1579) when executed produces below

2Stealth P2P network hides inside Kazaa (http://news.com.com/2100-1023-873181.html)
this looks like the file yous have

3Altnet - a vision for the future (http://www.brilliantdigital.com/content.asp?ID=779)
company that it makes it.

pw3n
02-17-2003, 05:23 PM
hmm I had AVG pick-up and remove a file with that 'Hantaner' name a few days ago.. didn't get to run it..

TRshady
02-17-2003, 05:39 PM
I too have had the win32/hanater virus. Notified by avg i then ran a system scan and removed it. I found it usually comes on cracks or key-gens.

Becarefull when selcting folders to share, its best to not coz b4 i have chosen to share 'my music' folder then noticed my WHOLE hard drive was loaded into my shared folder with about 6000 ( i think) in other section of my shared folders.

I dont know why people share\write viruses (well to cause destruction) FUCK THEM!!!!! :angry:

MaxAndig
02-17-2003, 05:43 PM
:( Today I got a similar worm/virus. It made a dir available called "User32" in C:\Windows and was caused by a file named "winsys.exe". This dir was opened to all Kazaa users who were downloading from me. In the dir there were files named like some well known progs with different sizes (not the well known 19 kb size). After every reboot the "User32" dir was built again by winsys.exe (a 119 kb file) and filled up with junk.

:lol: Winsys.exe made internet connections by itself!

:D :D I stopped it with a process explorer and had to clean the registry (searching for winsys.exe and finding a key "Krypton").

Conclusion: There are different viri/worms affecting Kazaa's shared folders and adding new ones!

Edit: Typos

Something to mention:
In Win.ini I found a lot of hex code numbers in the [fonts] section - as far as I remember - that I had to kill for security purpose. I don't think that were names of fonts?!

TRshady
02-17-2003, 06:05 PM
Not a reply, but 'kazaalitesucks' why chose that name?

kazzalitesucks
02-17-2003, 06:14 PM
this is spyware somebody has taken it and repacked it with the virus to fook everybodys downloads up ( Software companys) 1 virus company say's its harmless

Win32.HLLP.Hantaner harmless, bs (http://www.viruslist.com/eng/viruslist.html?id=58323)

yet mcafee says this W32/HLLP.Hantaner (http://vil.nai.com/vil/content/v_99881.htm)

its comes in unknown formats 2,

also a guest posted this.

i downloaded need for speed 2.zip and avg antivirus says its a virus the whole exe file
so i also had norton in 2003 and that never picked it up, strange so much for a virus checker
also tryed pccillian 2002 again no joy, so if you want a virus checker buy avg or d/l it of kazaa
really strong virus checker recomended

when you click on these exe files it spreads the virus and you dont no you have got it
avg did,nt no what the virus was because i never executed the file but it was %100 sure it was a virus
so if you download anything that comes without an icon then delete it, also you look @ file name
it says its a zip file, but when i went to properties it says it's an exe file.

so all you users out their with need for speed2.zip get scanning over 137 users, not 1 virus
checker to pick it up.

marlin
02-18-2003, 05:31 PM
well, it seems there are a number of virusses/worms using the kazaa system to spread .... not a good sign, maybe time to protect the share (meta)data in the program.