Nasty Little Program...

**TIDE-HSV** · 04-24-2003, 04:40 AM

I have SpyBot and Syquest both, and that's the reason I didn't worry after I removed it with Control Panel. I wouldn't have know that it had this DLL still hanging around, except that I was searching for another program with Cleansweep, and, in the process, I saw Piratos again (just the DLL, although I didn't realize it at the time). When I tried to delete that, it started to try to erase MSF. Otherwise, it hadn't attempted to dial out or other mischief. My RJ11 phone cable stays unplugged all the time, anyway, unless cable goes out.

**zapjb** · 04-24-2003, 04:47 AM

So you're saying you scanned with S&D. And it didn't pick it up?

**RealitY** · 04-24-2003, 09:29 AM

I would figure it would not, as only the dll linking his MSF was left, not the dialer.
What a bunch of freaks, attempting to profit from illegal forced phone calls while at the same time trying to sabotage a part of p2p programs, is this not contradictory in a sense. Well I never use the default MSF anyway. Again, there is no honor amongst Thieves.

**TIDE-HSV** · 04-24-2003, 11:52 AM

You've got a point there, Reality. MSF is on physical "E" drive in my machine, but the thing was probably only smart enough to look for MSF. OTOH, I never suspected that I would have to hide MSF under another name. The only reason Cleansweep picked it up was that the DLL was still named "Piratos" - causing me to try to delete it manually. There was no legitimate reason I can think of for it to be tied to MSF.

**bigmaxy** · 04-24-2003, 12:18 PM

These things *really* piss me off.

Be very vigilant on Kazaa as it is infested with this stuff. To the point where I now use another p2p program for largescale downloading and KL for the odd quick file.

Always use
1) A good firewall (eg Nortons)
2) Adaware scan regularly.

**TIDE-HSV** · 04-24-2003, 12:56 PM

I know I'm repeating myself, but I use SpyBot, AdAware, Sygate Pro and NAV (also PeerGuardian). None of them helped. This program didn't come through Kazaa. They (Piratos) have it on their web page, which is where I got it. My assumption was that, since I do have as much protection in place, I would know if it tried to "phone home." Of course, it did - literally. The sneaky thing though is to leave behind a hidden DLL, after running XP's Add/Remove. If I had tried Cleansweep the first time around, I would have discovered it trying to delete MSF more quickly. This attack was virus-like, and I don't think it's accidental at all. Unfortunately, since I DLed it and it was doing exactly what I wanted - delete files, just more than I intended - it just flew under the radar of all the protection I was wearing.

**Fatal Error** · 04-24-2003, 01:54 PM

Originally posted by sjohnston@23 April 2003 - 23:29
Thanks for the warning about this download.  I read somewhere that the dialer phones a premium rate telephone number costing 1.50GBP a minute.  Surely this practise is illegal, so can these people not be prosecuted?

I got a forwarded e-mail about two weeks ago warning about programs that link the unsuspecting user to a phone number using an 809 area code (Dominican Republic) its a 'pay per call' number that could cost you $1200 US!

These scams are largely unregulated and thats why they are allowed to exist.
These charges have been sucessfully fought..but its a real hassle. According to a phone company spokesperson this is legal because "pay per call" numbers can charge what they want.. if you dial it, your responsible for the charges on your phone bill.

In the case of TIDE-HSV, I have no doubt whatsoever that this was an intentionally and maliciously coded program that was designed to sneak in "just under the wire" so that most AV's and other types of scans wouldnt detect it.. that really sux.

**TIDE-HSV** · 04-24-2003, 03:28 PM

I guess the question still "hangs in the air" as to why they would do it. Just pissed because I deleted their program? There are probably a number of p2p people reading this thread whom they have lost forever as prospects. I just don't understand it. But I ran (and cancelled midway) the Cleansweep program, just to make sure I was seeing it correctly.

**Fatal Error** · 04-24-2003, 04:10 PM

Originally posted by TIDE-HSV@24 April 2003 - 11:28
I guess the question still "hangs in the air" as to why they would do it.  Just pissed because I deleted their program?  There are probably a number of p2p people reading this thread whom they have lost forever as prospects.  I just don't understand it.  But I ran (and cancelled midway) the Cleansweep program, just to make sure I was seeing it correctly.

Why would anyone want to plant viri ? Do they get some kind of sick thrill out of doing this? This seems to be intentionally aimed at P2P programs.. whoever wrote that code in the program, very obvously knew what they were doing.. this just doesnt get there, it was put there deliberately by someone that has "alot of computer saavy"..not "Joe Blow" And as you pointed out, there would be no seemingly valid reason for this program to attach itself to the MSF and not only delete its contents..but the folder itself.

Thank God you caught it .. 50Gb.. my god, that would of been a real tragedy. I would really hate to even hazard a guess as to how many people that have used that program had their entire shares wiped out and probably dont even have a clue what caused it.

Indeed, this was a very carefully thought out scheme.. not accidental.

Glad you caught that mate, and thanx for bringing it to everyone's attention

**TIDE-HSV** · 04-24-2003, 04:18 PM

One thing to remember, and I'm going to repeat it: nothing bad happened when I just removed the program itself. The shit hit the fan only when I tried to remove the DLL left behind after uninstalling. I still have that DLL in the recycle bin of Cleansweep. I'm going to go back and look at it. Maybe some of our programmers can tell if it had any other "payload."

Thread: Nasty Little Program...

Thread Tools

Bookmarks

Bookmarks

Posting Permissions