PDA

View Full Version : Warning!



Zardoz
02-15-2003, 01:46 PM
Liberty Stands Still Filesize 716,798 KB has malicious code that edits the kernel32.dll file in C:\windows\system
so that Kazaa will no longer work. The damage is done when kazaa reopens the dat file and before it is is completely downloaded it also reinfects the Kernel32.dll each time kazaa accesses the Liberty Stands Still .dat file until it is removed. This is perminent until you delete the .dat and install a new kernel32.dll file. reinstalling Kazaa alone will not help
Read This topic (http://www.klboard.ath.cx/bb/index.php?act=ST&f=23&t=16207) for more info


DO NOT DOWNLOAD Liberty Stands Still, Filesize 716,798 KB ever.

imported_uncle_cracker
02-15-2003, 02:53 PM
thx a lot for this information B)

it looks like an industrial fake to crash p2p.

thx again

cu ...:::~~~ ~~~:::...

Shinigami_[R.I.P.]
02-15-2003, 03:56 PM
Thanks for the heads-up. Wish we still had the Fakes Section though...

Zardoz
02-15-2003, 04:36 PM
Originally posted by uncle_cracker@15 February 2003 - 14:53
thx a lot for this information  B)

it looks like an industrial fake to crash p2p.

thx again

cu ...:::~~~  ~~~:::...



My thoughts exactly

It's a bit too specific for a general virus and the movie was perfect in avi preview
also no other software problems have emerged so far

It's a tricky one for the newbies to suss out and fix.
this is the main reason I keep pludgging Norton Ghost or Drive Image Etc.

If you haven't got them installed you have to copy over the kernel32.dll in dos
as windows uses it and it cannot be overwritten while it's running

Zardoz
02-15-2003, 04:39 PM
Originally posted by Shinigami@15 February 2003 - 15:56
Thanks for the heads-up. Wish we still had the Fakes Section though...


Even if we did have fakes. Because it kills Kazaa stone dead I would have posted it here and in verifieds just to make sure it was spotted

Nightwolf
02-16-2003, 07:31 AM
Is this really possible? How can a .dat file change a .dll? I thought only executables could do that. I know nothing about programming, so maybe someone who does can confirm or deny this. Meanwhile I'm very nervous about using KaZaA now.

Yusuke
02-16-2003, 08:03 AM
With 2k and XP's Windows File Protection, if kernel32.dll got deleted it will put it back automagically....

random nut
02-16-2003, 08:54 AM
Originally posted by Yusuke@16 February 2003 - 09:03
With 2k and XP's Windows File Protection, if kernel32.dll got deleted it will put it back automagically....
Unless you also modify their backup copy...

disenchanted
02-16-2003, 09:33 AM
This is bad...
RIAA anyone?

MaxAndig
02-16-2003, 10:49 AM
:o Thanks for the warning!!!!

roddersyourmama
02-16-2003, 03:59 PM
i searched Liberty Stands Still and theres no such thing

Zardoz
02-16-2003, 07:55 PM
Originally posted by roddersyourmama@16 February 2003 - 15:59
i searched Liberty Stands Still and theres no such thing



There is such a thing it's a thriller with Wesley Snipes and Linda Fiorentino
and I get 4 sources when I search.
Maybe the code was activated when I previewed it I don't know I'm no programmer

any thoughts RN

Zardoz
02-16-2003, 07:56 PM
Originally posted by roddersyourmama@16 February 2003 - 15:59
i searched Liberty Stands Still and theres no such thing



There is such a thing it's a thriller with Wesley Snipes and Linda Fiorentino
Look here if you need proof. (http://us.imdb.com/Title?0280870)
and I get 4 sources with that filesize when I search.
Maybe the code was activated when I previewed it I don't know I'm no programmer

any thoughts RN.

Edit I have windows 98
Here are the details for the illegal operation report.

KAZAALITE caused an invalid page fault in
module KERNEL32.DLL at 01b7:bff7a138.
Registers:
EAX=0d1f599c CS=01b7 EIP=bff7a138 EFLGS=00010212
EBX=01afaf18 SS=01bf ESP=0416f450 EBP=0416f484
ECX=00000000 DS=01bf ESI=01afa8a4 FS=408f
EDX=a349eb0e ES=01bf EDI=0d1f6010 GS=0000
Bytes at CS:EIP:
89 51 08 8b 53 08 8b 43 04 89 42 04 8d 93 0b 10
Stack dump:
0416f484 01afa8a4 01ab0000 01bc2da0 bff7b31d 01ab0000 01afa8a4 00000674 00000200 00000000 01afa8a8 01bc2da0 01afa8a4 0416f4cc 0051bfb3 01ab0000


hope someone can shed light on it