Franfreluche
@sympatico.ca
 from:
Tablet 
| New DC ++ Version : Watch out
Hi all
I just wanted to warn the people that downloaded or (have the intention to) the newest version of Direct Connect ++ 0.068 to be careful when they install it.
I always have ad watch ON and and as soon as i clicked on the DC ++ installer , i got a warning telling me that the file cserve32.exe tried to modify one my registry settings so that it would run on startup.I blocked it with the ad watch and it worked but it still created the file cserv32.exe in C:\WINDOWS\cserv32.exe.
I googled cserv32.exe and it came with no results other than this link :
»www.spywarefri.dk/forum/topic.asp?TOPI..
I don't understand the language but i can definitively see that the guy is telling the other to fix cserv32.exe , which probably means that it is spyware/malware.
Can someone try to confirm this ? I downloaded DC ++ 0.068 from download.com (maybe it have something to do with it)
I always used DC ++ and it never had any crap in it until this version so if they started to bundle their prog with spywares , then the people need to know. |
|
vukodlak75
Nisam Ti Dude
Premium,MVM
join:2001-10-27
Beachwood, OH
clubs: 
1 edit | Do you mean DC++ 0.668?
»dcplusplus.sourceforge.net/
I am running that and do not have any file by the name of cserv32.exe.
--
Bad taste should be illegal |
|
Tablet
Premium
join:2003-01-15
Czech
1 edit |  reply to Franfreluche
You are right, I've just downloaded the latest version of DC++ at download.com and KAV found Trojan.Win32.Krepper.ag in the installer executable archive. This is the first time that I've heard about an infected file hosted at download.com. Hope they get it fixed soon..
Those who want to check it out can download the file here: ht_p://www.download.com/DC-/3000-2196_4-10354164.html?tag=lst-0-1 |
|
Franfreluche
@sympatico.ca
| reply to Franfreluche
Haha , you found it too
I knew that i was not crazy
It look like download.com may be at fault
Over 1,000,000 people already download that file........
Habitually , i NEVER download from that site but the sourceforge download servers seemed to be down for me so i went to download.com |
|
hpguru
Curb Your Dogma
Premium
join:2002-04-12
| reply to Tablet
said by Tablet :You are right, I've just downloaded the latest version of DC++ at download.com and KAV found Trojan.Win32.Krepper.ag in the installer executable archive. I scanned it and found Trojan.Win32.Krepper.ag and TrojanDownloader.Win32.IstBar.er.
--
Boundlessly expands the sky and nothing stops the white clouds from freely flying about. |
|
Tablet
Premium
join:2003-01-15
Czech | reply to Franfreluche
Judging from the review comments it seems that the version hosted at download.com has contained a trojan/adware since at least 16th of January. Scary if you think about the hundreds and hundreds of people who'd gotten infected because of this .. |
|
Vvian Kalyss
join:2003-10-14
Stage 5.0
clubs:
| reply to Franfreluche
I was under the impression download.com was a fairly safe place to get stuff. Trouble in paradise? I haven't gotten anything from them in a while though, last I think it was a demo of some sort.
On a side note, the sourceforge page seems to be okay.
--
Mikami Vvian, resident Girlfriend of Steel, care of the Tokyo-3 Middle Daughters Club |
|
Franfreluche
@sympatico.ca
| Yeah , i was thinking that download.com was safe too.I very rarely used it but when i did (for MSN messenger and a few trials) i had no problems............
That was until today
Now download.com is on my blacklist
I also realized that i will have a very hard time to trust NOD32 in the futur.Fully updated , advanced heuristics ON and set at deep and it detected nothing in the dc++.exe and nothing in the cvserv32.exe file itself.
Tablet and Hpguru both detected something with their antivirus programs so that somehow prove that NOD32 is weak , even when tweaked for maximum detection.
I really must thank ad watch on this one because without it , i probably wouldn't have noticed this shit being installed on my PC.
Look like it's time to dump it and get Kaspersky  |
|
Wildcatboy
Premium,Mod
join:2000-10-30
Toronto, ON
Host:
Security Product V..
Security
| reply to Franfreluche
There's a mention of KAV in this thread but has anyone else scanned the file with any other AV?
Is this the file you're talking about?
»www.download.com/DC-/3000-2196_4···=lst-0-5
McAfee doesn't seem to detect anything.
--
You can catch the Devil, but you can't hold him long. |
|
TerryMiller
Premium
join:2003-10-23
| reply to Franfreluche
I only have KAV so I downloaded and submitted to jotti. I trust McAfee so I wonder if this is really a false positive.
File: DCPlusPlus-0.668.exe
Status:
INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
Packers detected:
PE_PATCH, TELOCK
AntiVir
No viruses found (0.19 seconds taken)
Avast
No viruses found (1.51 seconds taken)
BitDefender
Trojan.Downloader.IstBar.ER (2.62 seconds taken)
ClamAV
No viruses found (0.78 seconds taken)
Dr.Web
No viruses found (0.54 seconds taken)
F-Prot Antivirus
No viruses found (0.07 seconds taken)
Kaspersky Anti-Virus
Trojan.Win32.Krepper.ag, Trojan-Dropper.Win32.Agent.el (1.89 seconds taken)
mks_vir
No viruses found (0.24 seconds taken)
NOD32
No viruses found (0.40 seconds taken)
Norman Virus Control
No viruses found (0.13 seconds taken)
--
Michelle Graduates |
|
Wildcatboy
Premium,Mod
join:2000-10-30
Toronto, ON |
Thanks Terry. I have a feeling it's a false positive too. |
|
Franfreluche
@sympatico.ca
| reply to TerryMiller
I seriously doubt that a false positive would try to mess my registry settings and drop the cserv32.exe file in the C:\Windows folder.
Also , the guy that wrote the first review on download.com said that it had installed bargain , ist search and a browser hijacker.I definitively think that it's true.
It's too bad that i have deleted the cserv32.exe in a haste though.I could have submitted it to NOD32 and the other AV companies because it look like only 2 of them can detect it.(according to your tests). |
|
amysheehan
Lakers Win
Premium,VIP,MVM
join:1999-12-21
Huntington Beach, CA
 ·RoadRunner Cable
1 edit | reply to Wildcatboy
The copy of Ad-aware that I downloaded from download.com last night was reeking havoc on my computer and I tested it again just now at Jotti after reading this thread:
File: Ad-Aware.exe
Status: MIGHT BE INFECTED/MALWARE (Sandbox emulation took a long time and/or runtime packers were found, this is suspicious. Normally programs aren't packed and don't force the sandbox into lengthy emulation. Do realize no scanner issued any warning, the file can very well be harmless. Caution is advised, however.) (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
Packers detected: ASPACK
NOTE: I had problems trying to download same file from Major Geeks and the download.com site download left a strange dll in my temp folder that Norton picked up when I rebooted my computer. |
|
Tablet
Premium
join:2003-01-15
Czech
| reply to Franfreluche
This threat is unfortunately real. I've installed the DC++ version available from the link in my first post and two files appeared in my C:\WINDOWS\ directory.
ouapcker.exe - KAV detects it as Trojan.Win32.Krepper.ag
cserv32.exe - not detected by KAV |
|
Tablet
Premium
join:2003-01-15
Czech
| reply to Wildcatboy
Yes, that's the file..
btw.. I submitted the file cserv32.exe to Kaspersky for analysis, we'll see what they're going to come up with. But definitely the file hosted at download.com is different from the files hosted at official DC++ sourceforge mirrors.. |
|
Drize a bone
@zqwdrqsz.com | reply to Franfreluche
Anyone tested this with an Anti-trojan. i.e TDS3, BOClean, Trojanhunter, Ewido etc? |
|
John2g
Qui Tacet Consentit
Premium
join:2001-08-10
England
| reply to TerryMiller
said by TerryMiller :I only have KAV so I downloaded and submitted to jotti. I trust McAfee so I wonder if this is really a false positive. File: DCPlusPlus-0.668.exe Status: INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database) Packers detected: PE_PATCH, TELOCK This may be the reason. BOCLean detected a trojan in Autostream because of TELOCK. This is the explanation.
QUOTE
"Greetings ... interesting indeed. Well ... it's a false positive, but then again it is *NOT* a false positive. BOClean triggered on a behavioral basis for that one since it was somehow STUPIDLY compacted with the same whacky version of the trojan compactor known as TELock ... that's what BOClean triggered on, last known sighting of this particular version of TELock was back in late 2003 with the SOBIG worms."
"Autostreamer" itself is clean, but the programmers stupidly used TELock which is ONLY used with trojans to obscure them from file scanners. I'm going to have to guess that this was the author's idea of securing himself from "reverse engineering" - I can't imagine any legitimate reason to have used that otherwise, and it IS a known trojan packer.
Since the SOBIG.F virus is EXTINCT, we'll remove that definition from the BOClean database as the SOBIG.F "worm" cannot function any longer and thus the definition is no longer required. Howver, the author(s) of this utility DID use a trojan packer and that's what BOClean alerted on as the particular output was HIGHLY unique."
ENDQUOTE
--
Better to remain silent and be thought a fool, than to speak and remove all doubt. |
|
teh
Gekke Kraai
Premium
join:2003-03-21
Malaysia | reply to Franfreluche
This isn't the 1st time this happen with download.com Here is a thread at another forum »[OT] Repakaged downloads ?
--
乌鸦团体 |
|
javacool
Premium,VIP
join:2002-07-05
USA
4 edits | reply to Franfreluche
Hey everyone,
Just from a quick test, it seems as though those two files (cserv32.exe and ouapcker.exe) are created as soon as the installer is executed (so even if the user presses "Cancel" at that point, it'll still be present). That alone is suspicious behavior.
The ouapcker.exe file is flagged by both BitDefender and Kaspersky (according to the Jotti online scan) as follows...
BitDefender: Trojan.Downloader.IstBar.ER
Kaspersky Anti-Virus: Trojan.Win32.Krepper.ag, Trojan-Dropper.Win32.Agent.el
So it looks like any scans of the setup file are actually triggering on that ouapcker.exe file.
And another note: This download (linked on Download.com) seems to be coming from a site called dcplusplus.info
(Again, this is just from a preliminary test.)
UPDATE [1]
When trying to execute the ouapcker.exe file...
1.) It unpacks three files: gripo32.exe, msodwo.exe, ouiast.exe (all to C:\WINDOWS)
2.) gripo32.exe is executed and...
3.) An "error message" is displayed that says "An error has occurred while executing this program. Free up harddrive space and try again."
(I put error message in quotes because it appears as though that messagebox is hard-coded into the program - i.e. it looks like it'll display no matter what.)
4.) Meanwhile, msodwo.exe is executed.
[AVG detects a C:\Windows\sxeB.tmp file as Trojan horse Downloader.Istbar.5.K, and then also detects a sxeD.tmp file as Istbar - these could potentially be random file names.]
5.) Assuming an anti-malware program does not detect/block those files, a file named C:\WINDOWS\sxe[something].tmp is then executed by gripo32.exe.
6.) The sxe[something].tmp file tries to access the Internet.
7.) Assuming it is allowed, it apparently downloads data from the Internet and tries to execute a file located in the local user's Temp folder (in one case, the file was named "f5r4bnh.exe").
8.) The "f5r4bnh.exe" file then tries to access the Internet.
9.) Assuming it is allowed, it downloads data and then tries to execute a "C:\Program Files\istsvc\istsvc.exe" file.
10.) This istsvc.exe file then tries to connect to the Internet and download data.
11.) The "f5r4bnh.exe" file tries to execute a "C:\WINDOWS\hxjrhlqp.exe" file.
12.) The "f5r4bnh.exe" file tries to execute a "sidefind.exe" file located in the local user Temp directory. (This file tries to access the Internet.)
13.) The "f5r4bnh.exe" file tries to execute an "optimize.exe" file located in the local user Temp directory.
14.) The "optimize.exe" file located in the Temp directory then tries to execute the following file: "C:\Program Files\Internet Optimizer\optimize.exe". (This file tries to access the Internet.)
15.) And it keeps on going!
Stuff was also seen from 180Solutions, BargainBuddy, eXact Advertising, ShopAtHomeSelect, etc. One program tried to install drivers/services, several BHOs were installed, lots of Run entries were added, a Toolbar was installed, browser pages were hijacked to "couldnotfind.com"... and more.
Talk about large quantities of unwanted crap!
Update [2]
So yes, all of the above was done by that ouapcker.exe file which is apparently created by the DC++ installation package that is currently on Download.com. (And again, the file is created in C:\WINDOWS as soon as the installer is run.)
Best regards,
-Javacool |
|
psloss
Premium,MVM
join:2002-02-24
Alpharetta, GA
| reply to Tablet
said by Tablet :btw.. I submitted the file cserv32.exe to Kaspersky for analysis, we'll see what they're going to come up with. But definitely the file hosted at download.com is different from the files hosted at official DC++ sourceforge mirrors.. For what it's worth, the EXE doesn't seem to be packed and indicates it was linked with VC++ 7.1 (timestamp says 15 Dec 2004); it also has this project/PDB string in it:
c:\Documents and Settings\Fredrik\Skrivbord\trapp2\trapp\Release\trapp.pdb
There is also a reference to the ouapcker.exe file and what looks like the contents of a batch file for self-deleting...
Just taking a break from sleeping, so I didn't let the installer go with an open outbound connection. When run that way, it doesn't seem to do anything explicit with the network, but I wasn't monitoring the I/O closely.
Philip Sloss
--
Feedback? e-mail: stuff@lupwa.org |
|
