~ Software that hiddendly ~ ~ corrupts, checks or modifies your data ~
Malware
Version March 2001
[The list] by db-cooper (posted by +Tsehp) ~ [addition] by ArthaXerXes
"But take care when you find your appz,
or you'll not gain your just rewardz,
your quest will all have been in vain,
and you will have to start again"
Ancient websearchers' rhime
This section is interesting for searchers, because many
are not aware of the fact that software programs (software
operating systems too, for that matter) have purposely being more and more "hidden" from
their users (as the growing appearance of "Wizards" and automated installation and
de-installation procedures attest) and are more and more using "undocumented"
functions and performing "clandestine" activities on user machines. Such
covert activities encompass inter alia:
the unashamed spying of the installed software (eventually denouncing it
(secretly) in the background during a web connection): Many recent Microsoft
products.
the gathering (secretly) of information about the user and his choices and
preferences delivering it to commercial oriented bastards for spamming ads or
unsolicited email (web-scripts,
web-search engines and some commercial software)
the modification (without asking of course) of many user-parameters of the operating
system, the deletion or modification or "updating" of user files, the fiddling with
the physical locations of the user harddisk and so on (many protection schemes and many
installation procedures).
About the list below: I have received in March 2001 this note from Leo Getz:
Following a newsgroup posting of the url
http://www.searchlores.org/boobytra.htm i discovered that the author of
the
essay has not given proper credit for the actual booby trapped
shareware
list. I originally compiled the list many many months ago now and
semi-regularly
post it to usenet & a message board as it gets updated.
I would greatly appreciate credit for the list that forms the most part
of
the essay at the url mentioned above.
The BTS list was originally on my main website but it is now on it's
own @ LGbts.cjb.net
cheers,
LG
=================================================================== Booby-Trapped
Shareware
With an [addition] by ArthaXerXes (March 2000)
===================================================================
last update: 15 Mar 2000
If
the
possible threat of being hit by a virus and it's affects ranging
from funny messages to total system meltdown isn't
enough. There is a new threat on the horizon, or maybe not so
new.
History has shown that various authors have
booby-trapped their software, sometimes to the point of
corrupting data files, corrupting system files, or deleting
files and directories from your computer. This is a worst case
scenario and the resulting effects vary greatly.
The
following information is a list of software titles with the
reported traps hidden within. This document is not intended to
promote paranoia but to alert, educate and inform users about
possible problems, and you might find some handy tips and other
bits if info along the way.
==============================================================
====== - (*)
Indicates new or updated info.
-
AcdSystems - (ACDSee, Pica View)
As of ACDSee v3.0 &
PicaView v1.32 the registration system has changed. They now
have separate demo and retail version. You can no longer enter
a serial into the trial versions, they need to be
patched. You can however enter a serial in the new retail
versions of the progs.
After all the hype, ACDSee DOES NOT
phone home. It includes a new updates checking feature which
obviously does require net access. Also the recent virus
warning about ijl10.dll is false, due to a problem with The
Cleaner. Grab the latest version to fix it. Launching an image
file from agent results in a new acdsee window each time, it is
a bug in acdsee.
- AddWeb
Uses server authentication
to confirm the users registration. The second time you use it,
you will get a lovely message about using illegal software and
that your IP address was recorded.
- Advanced
Administrative Tools
Uses server authentication to confirm
the users registration.
- Advanced Zip Password Recovery
(AZPR)
Will only accept a valid key, uses a blacklist for
pirate keys, if one is detected wastes CPU cycles without
giving a solution.
- Advanced Disk Catalog
(ADC)
Will only accept a valid key, uses a blacklist for
pirate keys, if one is detected slowly corrupts its
databases. Earlier versions had anti-SoftICE code in
them, though the author later removed this.
The author
of AZPR & ADC uses very strong encryption to protect his
code, it won't ever be properly cracked. Alot of releases of
these are not 100% however one group has released v1.30 with a
working valid serial#.
- AI Picture Utility
From a
recent Core release - blacklist for pirate serials, various
hidden checks in each version release.
- AntiViral Toolkit
Pro (AVP)
Bogus CRACKER.* trojan messages about many files,
reported to falsely detect cracks and keygens as virii and
corrupts them, this may only happen if you try to 'clean' the
infected files.
- Archiver Shell
v6.3, as reported
in a recent CORE release, causes system problems if
a blacklisted name/serial is used.
- Audio
Grabber
Phone's home with author's server, invalidates
itself when you go online. Might screw up your mouse buttons
too. This checking may only be connected to the CDDB
feature. Search your C Drive for a file 'SLICKS.CNT' and delete
it. Repeat if it invalidates itself again. Try another prog
from http://www.cddb.com to perform cddb queries. Also try
blocking the connection with a good firewall, Conseal or
@guard.
- (*) Aureate
This is HOT news right now and
it seems alot of ppl are freaking out over this. Frankly,
CHILL!!!. This ain't the first and won't be the last contraversy
of this kind. Take a deep breath and calm the hell down. Do
read the information you can find, and take it all with a grain of
salt. I'm not defending anyone, things like this just get out
of hand rather than calm rational thought.
Here are some
info links
- http://grc.com/aureate.htm
A list of software that
use Aureate -
http://www.aureate.com/devs-n-pubs/network_members.html Her
e's what Aureate has said about it
- http://www.aureate.com/privacy/falserumors.html
A list
of the Aureate runtime files -
http://manage.aureate.com/developers/sdk_doc/runtime_files.htm
l A list of the registry keys -
http://manage.aureate.com/developers/sdk_doc/registry_info.htm
l
There are now 2 utils out that will scan your drives for
the suspect files. The one by Cokebottle (AntiSpy) removes some
VALID system files - advpack.dll (Advpack), amstream.dll
(DirectShow), amcompat.tlb(Active Movie/MediaPlayer). I highly
suggest you backup the suspect files first as some ppl have had
probs after their removal.
- Bali Tools 2000
A Zor
reader reports that this phones home.
- Black
Widow
Was awhile ago now, afew got hit by 'something',
denied by authors, the particular version was pulled very
quickly, has been reported to communicate with the author's
server, also claimed to look for commonly pirated
programs.
- (*) BlackIce Defender
If you are
installing a new version over an older one and having
trouble, go into the NetworkICE folder and open the file
license.txt. Replace the serial in license.txt with a later
one.
(from FOSI) - using the update check seems to cause
program to GPF, making it unusable after this. The authors
are blacklisting alot of serials, so if you try to download
and update from their webpage and it won't let you, that's
why. Recently a 'snitch' url was discovered, this is part of an
upcoming feature of the prog and seems not to be to 'phone
home'. v1.9.6 seems to have cleared up all the problems and
confusion.
- BSI Wavestation
Later versions after
v2.71X, would do severe system damage if it detected use
of that keymaker:
1) Overwrites win.ini, system.ini,
user.dat, and system.dat. 2) Overwrites user.da0 and system.da0
(registry backup files).
This will render your system
unbootable, and within seconds of doing this you will get a
registry error message, prompting you to reboot. At that point
it is too late. Incredibly, all those system files are backed
up by the program (with different names, in the program
directory) after it does this, so if you keep cool you can
still restore your system.
The ONLY version to consider
safe is v2.71X, It has been disassembled and verified that no
trojan horse code exists in it.
- Bulletproof
FTP
Uses server authentication to confirm the users
registration, opens your browser to a 'gotcha' page if invalid,
repeatedly new serials are released for new versions, frankly
don't bother, most if not all shared serials are cancelled
by the author when they are eventually discovered. The last
version that seems very stable is v1.15.
- CD
Wizard
If you put the serial in wrong it might pop a
warnimg saying 'We have detected a virus attached to your copy
of CD Wizzard' or similar.
- (*) cdlabel
v5.0, using
an old/blacklisted serial results in popup warnings.
-
CdrWin
Possibly the ONLY crack to trust is the one by
'GranddFather'. The Radium 3.7c release is another verified
good version. At one point filled the hd with junk, another
time deleted system files, ongoing double checking of the
serial and if it fails burns coasters. There have been reports
of it inserting garbage into the write stream as well. This
means that only some files may have errors. This would make it
somewhat difficult to detect for the average user. Doing a
plain directory or filesize compare may not reveal any corrupt
files. Use a crc validator or a binary file compare util on all
images burned this.
- ClipMate
Opens your browser to
a 'gotcha' page using blacklisted name/serial v4.11 using a
blacklisted name/serial might also make it crash Solution: Just
delete the Registration Info from your
Registry. (HKEY_CURRENT_USER\Software\Thornsoft\Clipmate5\Regis
tration)
- (*) CloneCD
New serials get blacklisted
very quickly, make sure you use the correct serial with the
version you have. It might appear to accept old serials
but will burn dud cds. Have also seen reports of it threatening
to format the hd. Goto HKEY_LOCAL_MACHINE\Software\The Silicon
Realms Toolworks\ and delete the 'Armadillo' key for 10 more
writes.
AVP might report the installer is infected. This is
a false positive but treat all warnings with care. Try
unzipping the installer and scanning the files, should be
clean.
- Cool Edit 2000
Detects if you've had a
previous cracked/pirated v1.2 on your system. It might Delete
itself on this detection. Also seen mentioned that the CoolEdit
MP3 Plugin does the same thing.
- Copernic
v4.0/4.1
- Using the built-in update feature results in the ad banner
window returning. Try getting a newer version and do a clean
install of it. Make sure you use a newer serial too.
To
remove the grayed out box and remove Advertisments go to Registery
Editor. (HKEY_CURRENT_USER\Software\Copernic
Techologies\Copernic4Plus\Preferences\) and remove the 'ShowAd'
key. OR try, inside the 'ShowAd' key replace 0Xffffffff to
0X00000000
- CPUidle
A Zor reader mentioned that
AtGuard reports that this tries to establish an outgoing TCP/IP
connection. To do what he doesn't say.
-
CuteFtp
v3.xx, using cracks may make the program and your
system become very unstable. As of v3.54 there are a few good
cracks that contain a valid registry file. Apparently the
program has multiple layers of key-checking and
numerous self-integrity checks. See what the authors have to
say.
http://www.globalscape.com/support/cracks.html, http://www.glob
alscape.com/support/cracks2.html
While the program may be
reasonably protected by the registration system, CuteFTP's data
files are protected by an extremely weak 'encryption'. The term
'encryption' is used very loosely in this regard as usernames
and passwords in the 'tree.dat' (v2.x) and 'smdata.dat' (v3.x)
are easily recovered. There is one other username and password
combination that is stored as plaintext in the registry and
CuteFTP's ini file.
- CSE HTML Validator
Phones home
only when using the built-in update check. If you have used an
invalid serial and try to update, it will then always try to
phone home. Solution: Just delete the Registration Info from
your
Registry. (HKEY_CURRENT_USER\Software\Microsoft\Windows\Current
Version\CSE3310)
- DiskState
v2.02 maybe others,
seems to be a dupe file checking util. Saw a sketchy report
that it fills the registry with CLSID's. This appears to be
part of it's normal opperation.
- Download
Accelerator
Could be a bug (?) that causes it to crash
continually after trying to reg it. To remove the ads find the
'Ads' folder and delete the image files, if they come back,
delete them again.
- Extractor Marketing Software -
(Extractor Pro & Web Weasel)
Phones home every time the
prog is started.
- Feurio
v1.30, Careful with using
Feurio 1.30 with the 'ciccio' code, Although it seems
registered, it inserts a spoiler into a random track. It goes :
"beeeeeep... illegal copy ... beeeeeep".
-
FlashFXP
Uses a blacklist for pirate serials, if you use a
blacklisted serial the app contacts the author's website and
pops threatening messages, it's not recommended using the
update feature, tHE eGOISTE/Tmg has a good crack for it and eGO
has a program that reads the blacklist.
- (*) Fluid
Promotion
v1.02, using a bad serial will seem to register
it, but it'll stop working, will also pop 'gotcha' messages and
report you to the author's site.
- Firehand
Ember
Not sure of versions v5.93+ i think, pops a warning
using a 'pirated' serial, damages system. After v3.8.6(?)
there are separate demo and retail versions.
- Folder
Guard
Uses blacklist for pirate names.
- Fruity
Loops
v2.01, to enter serial - ctrl+shift+F2, reported as
having 4 stages to the protection scheme, Basic, Full, TS404, a
'God' mode being the final, this 'God' mode has been reported
as bogus. It appears that the download from the FruityLoops
site is a CRIPPLED demo. Depending on the TMG keygen you have
it may not work. TMG have also released a keygen for a FULL
(non-crippled) FruityLoops.
- Fruity Tracks
v1.50,
to enter serial - ctrl+alt+F9. The crippled problem with
FruityLoops may also apply to this one.
- FTP
Voyager
Serial is date dependant. Stops downloading files a
few bytes before completion when using blacklisted
name/serial.
- GameSpy
Only use cracks by
REBELS. Uses server authentication to confirm the users
registration, forget about using keygens or serial#s
alone.
- Genius
v2.6 on detecting a blacklisted
serial pops up a little "you're using pirated software, etc."
window and disables various functions.
-
Getright
Uses a blacklist for pirate serials. Might try to
bring up a 'gotcha' page. If it starts playing up... Goto
HKEY_CLASSES_ROOT\CLSID\{F853B2C7-386A-11D3-A860-006097897A00}
and delete 'ID' Goto
HKEY_CURRENT_USER\Software\HeadLight\GetRight\Config\ and
delete 'Window00' and 'RegistrationCode' or delete the number
itself. Then try using another serial#.
- Gordon
Production's software - (ASCII-Help, Einstein, - Home
Project, KarCheck, - PasteMaster)
Einstein maybe others,
phones home and reports the use of a crack, expect an email
from the author. Saw a report on Zor's news that the author
emailed a keygen user knowing it was used.
- HistoryKill
99
Pops a warning about sending mail to the author when
using a bad serial#, have seen one report of it doing system
damage.
- HoneyQ
v1.50, not all serials seem to
enable the use of video, if video gets disabled after
registering then this is why.
- HotDog
Uses server
authentication to confirm the users registration.
-
Htmasc32
v3.03.22 uses a blacklist for pirate serials, will
randomly popup a bogus program error on detecting a blacklisted
serial.
- HTML (Un)Compress
Uses blacklist for
pirate serials.
- Intermute
Uses server
authentication to confirm the users registration. This may have
been removed since v1.40. v1.50 has been reported as
clean.
- KeyText
Most older serial/keygens (v1.1x)
were not 100%, prog ended up still limited, more recent
serial#s might be fine.
- Kyodai Mahjongg
Be careful
using old keygens & serials, has been reported to do nasty
things.
- Lightspeed Products - (Rocket, WebConvert
Pro)
Rocket maybe others phones home and reports the use of
a crack, expect an email from the author.
-
LinkBot
v5.0, Phones home.
- Liquid FX
Takes
your browser to a 'gotcha' page on detecting a blacklisted
name/serial.
- (*) Lockdown2000
Have seen very
conflicting reports about the effectiveness of this, also seen
mention that although it claims to be, it is NOT a
firewall. Repeatedly updated by authors to overcome new
cracks, seemingly very little time spent updating
functionality. Be careful trusting your system security on
this, do some testing and you decide. Some interesting test
results to consider
- http://www.primenet.com/~lippard/pchelp/LDtest.htm http://
www.nwi.net/~pchelp/lockdown/Davis/index.html http://www.nwinte
rnet.com/~pchelp/lockdown/debunk/index.html http://www.nwintern
et.com/~pchelp/bo/htinvest.htm http://www.antionline.com/cgi-bi
n/features/ProductReview?date=10-08-1999
The history of the
authors is a very interesting read. Don't even bother testing
this let alone buying it.
- LviewPro
v2.8, you can't
enter a serial in the demo from the website, a patch is
required.
- Magic Folders
Deletes the illegal
registration file and warns that if you use it again, it will
uninstall and you won't "ever" be able to install it again. It
also states something about being able to delete the whole hard
drive instead of just one file. Last cracked version was a
looooong time ago.
- Multimedia Builder
v4.5, try
CORE's older keygen putting in an email address as the username
to generate the key, eg. [email protected].
- Nero
v4.??
accepts an invalid serial for a while, at a later time tells you
that the serial number you are using has been
pirated. Doesn't cause any system damage, but it will ask you
for a correct serial number everytime you load it up until you
give it a valid one.
- Net Detective 2000
Does
nothing more than a few good search engines can do.
-
Netinfo
Will contact it's home server upon startup or some
network event even after being registered.
-
NewsRover
Since v3.8(?) name/serial is at least triple
check, when first entered, when retrieving newsgroup headers,
and uses server authentication. If the second check fails it
will delete the data files from it's directory.
- Norton
Antivirus 2000
Has been reported that if you've used a
cracked dll on the demo, when you update the virus definitions
you will get a message that says you need to download a
patch. If you say yes and download the patch it will replace
the "fixed" dll and set the attribute to read only, making it
difficult to "tamper with" again.
- Offline
Explorer
Contains a blacklist of usernames.
- Oil
Change
Uses server authentication to confirm the users
registration, it's the Oil Change server that provides the list
of updates.
- Personal Stock Monitor
Will contact
it's home server upon startup or some network event even
after being registered. .
Was quite awhile
ago, using a keygen'd/bad/older serial resulted in your hard
drive being wiped. Be very careful with recent releases and
make sure the keygen/crack/serial# is for the version you
have.
- Quake 3
The newly released full version uses
server authentication to allow you to play online, either buy
it or find yourself a cracked SERVER to play on.
-
RankHigher
Quoted from website - 'A note to Crackers,
Hackers and thieves: we are NOT responsible for what this
program does when using a cracked version, stolen registration
code or reg code generators! You've been warned...!'.
v6 update
check triggers blacklisted serial nag. v7.0 includes a prog
called Comet Cursors which has recently been revealed to send
out info on your browsing habits.
- Restorator
v2.50
bld 757, Aparently there is only ONE 100% cracks for this, all
others will trigger the prog to delete itself.
-
SmartDraw
v4.22, to get another 30 days on the trial
version..., might only work once tho. Goto 'help' menu, click
'about', the 'about' box pops up, hold down Ctrl+Shift and
click the 'ok' button.
- Starcraft's
Battlenet
Collects data about you and sends to
server.
- Time & Chaos
v5.xx maybe later, blacklist
for pirate serials, on detecting pirate serial locks the data
files, prog may not run again.
- Timeworks DirectX
Plugins
Demos can detect if you've used a cracked version
before, threatens to erase C: drive, seems to just be a scare
tactic.
- ToDo'95
v4.14 maybe others, If the program
is used beyond the 30 day evaluation period, the author issues
a "Doomsday warning". The message warns that the user
must uninstall the program immediately or the program will
delete the host computer Windows directory. The code for a
DELTREE command on the host Windows directory has been found
within the executable.
- Total Recorder
v2.1 maybe
others, v1.0 is ok, Seems to be a long standing often missed
trick, after 64 seconds a spoiler signal is inserted into the
output file.
- Tracking the Eye
Uses server
authentication to confirm the users registration.
-
TranSoft - (MailControl & others)
Contacts it's home
server and checks your registration data against a few
lists. (http://www.transsoft.com/codes/) One list is 'legal'
usernames, other is 'illegal'. Names on the Illegal list
include - William McCurdy, Nambulu, forcekill, MONTILLO,
Montillo, Norway, SiraX/[DNG], CORE/JES,
Bracco, Nambulu/Survivors, BABYNET, SiraX/CORE, QuQ
[FACTOR], Black Thorne [PC'98], Phrozen Crew '98,
SiraX/[CORE]-1998, TransSoft, mRFANATIc [D4C], JellyTop, astaga
[D4C], C4A Team, Doug Mchugh, Karl Kachigan, Master
Computer.
- Tweaki for Power Users
Serial is date
dependant. Pops a warning message on bad serial. If you get
this try going to \HKEY_LOCAL_MACHINE\Software\Tweaki\ Find the
'RegName' key and change SPRITEX to SPRITEY. Also reported to
detect an old cracked version, pop nasty messages and stop
working. Clean the old registry entries and also search for
'jermar','tweaki', and 'twk', new version will then install
without probs.
- (*) Virtual Drive
v5.1 From Zor's
Discussion board, a user used an old patch by Swat99 and his
boot drive was totally nuked.
- WebForms
In one
version of it, the author had code to delete
x:\windows\system\*.dll, and in another he deleted
x:\command.com, then displayed a goofy message. There is a
modified keymaker that gets posted now and again. It still
works, last time it was checked. Has been advised against using
it on a version above 2.5d, however.
- Wetsock
4
Will contact it's home server upon startup or some
network event even after being registered. .
- Where Is
It?
Locks catalogs if blacklisted name/serial is used, due
to continual updating (to overcome the cracks) it's hard to
find a correct version and matching keygen. Core's v2.11
(2.1.1.1003) release of the app & keygen is known to be
good.
When this happens in v2.12 it locks the catalog and
overwrites the catalog name with 'warez user'. I have some info
on fixing this. It get's worse as of v2.14, it doesn't lock the
catalog but overwrites all titles, folders, and file names in
the catalog with 'warez user'. If you get stuck in the 'warez
user' trap do NOT save the catalog, if it happens during
updating the original catalog will be ok. Have used v2.14 for
awhile and eventually got trapped., seemed to be after running
it while online but could not catch it in the act.
Authors should know that the intended destruction of data is a
criminal offense in many countries, whatever the reason
is.
It is like killing a burglar stealing you, the fact
that one breaks the law does not allow you to do the
same.
There is also the fact that you can never be sure
that your malicious code will never harm a legitimate user of your
program.
There are several software missing, the first one
that comes to my mind is :
WinDAC (at least 1.49)
:
http://www.windac.de I believe. This is a program to dump
the audio tracks of CDs. A nice program, but it does not work well
on my computer (and I have limited use for it anyway).
I
fully reversed this program, so I can explain preciously what it
does. The program, if uncorrectly cracked or if the serial is only
partially correct will behave strangly.
For example time
duration will be altered as well as tracks, as a result you may
dump the wrong track or miss some parts of it.
If you are
interested, there is quite an interesting registration check
scheme, a hash is computed from the name, then from the serial,
operations are performed on both of them and if the operations are
successfull, the name/serial pair is accepted.
Afterward,
when the program restarts, another check is performed on the
serial hash (it checks if it can divide it by 10h if my memory is
good), if it works you will have the full working software,
otherwise you will have a bugged one.
I can provide a valid
name/serial pair to whom it may interest. I think it will work
with the most recent versions. I also tried to make a serial
generator, but it is really bugged.
However, this is not as
bad as the other software trashing your data.
HOW TO CHECK
IF YOU MISCRACKED A PROGRAM :
- Try with the unregistered
version the problems you encounter with the registered one. -
TEST YOUR WORK ! (I can't believe I found a serial generator for
WinHex 9.25 that does not work AT ALL, get my crack here, just to
compare !) - TEST YOUR WORK ! (again :-) - TEST YOUR WORK
!
Really, it is funny to see people who take themselves for
super-l33t-crackers because they made a serial generator, and to
see that it does not actually work (who said CDRWin ?
:-).
Another malicious program is Awave which will quit
after a while or display an unusable dialog box is
miscracked. The last version is boring to reverse, it is fun to
unaspack by hand (I made a routine to rebuild the IAT if you are
interested), but removing the checks is boring. You can get my
old tutorial "The Elegant Patching", since this part did not
really change, you just have to unaspack before doing
this.
Again, it is not REALLY malicious, as it will not
destroy anything (as far as I know) it will just not work
right.
Hope this was interesting.
--
ArthaXerXes "I shall not use my Knowledge in
vain"
xerxes_nospam(at)altern(point)org ~ ArthaXerXes
Back to Antiadvertisement
(c) III Millennium: [fravia+], all rights
reserved