Trojan warning

N

null

A user I have been helping discovered a Trojan in a freeware MP3 to
WAV converter named ABLEMP3.EXE from this site:

http://www.all4you.dk/FreewareWorld/links.php

It's called Trojan.Dropper.Small.GT by KAV and it's in the file named
WU1345RD.EXE located in \temp\data\app\0\temp

Most av scanners won't find it when scanning the install file since
they are incapable of scanning within the CAB archive within the SFX.
This particular one can have its files extracted first to a temp
folder using Power Archiver (or whatever), and then the files scanned
on-demand. When the culprit WU1345RD.EXE files is this exposed for
scanning, several av will then alert. I've also confirmed through
contact with Kaspersky that the file is indeed infested.


Art
http://www.epix.net/~artnpeg
 
V

Vrodok the Troll

On Sat, 14 Aug 2004 16:46:46 GMT, in Newsgroup--> alt.comp.freeware, the
personage of (e-mail address removed), courtesy of Message-id
A user I have been helping discovered a Trojan in a freeware MP3 to
WAV converter named ABLEMP3.EXE from this site:

http://www.all4you.dk/FreewareWorld/links.php

It's called Trojan.Dropper.Small.GT by KAV and it's in the file named
WU1345RD.EXE located in \temp\data\app\0\temp

Most av scanners won't find it when scanning the install file since
they are incapable of scanning within the CAB archive within the SFX.
This particular one can have its files extracted first to a temp
folder using Power Archiver (or whatever), and then the files scanned
on-demand. When the culprit WU1345RD.EXE files is this exposed for
scanning, several av will then alert. I've also confirmed through
contact with Kaspersky that the file is indeed infested.


Art
http://www.epix.net/~artnpeg
Click to expand...

*Ouch*! To the best of your knowledge, what files on that site are infected?
 
B

buzz Light Beer

A user I have been helping discovered a Trojan in a freeware MP3 to
WAV converter named ABLEMP3.EXE from this site:

http://www.all4you.dk/FreewareWorld/links.php

It's called Trojan.Dropper.Small.GT by KAV and it's in the file named
WU1345RD.EXE located in \temp\data\app\0\temp

Most av scanners won't find it when scanning the install file since
they are incapable of scanning within the CAB archive within the SFX.
This particular one can have its files extracted first to a temp
folder using Power Archiver (or whatever), and then the files scanned
on-demand. When the culprit WU1345RD.EXE files is this exposed for
scanning, several av will then alert. I've also confirmed through
contact with Kaspersky that the file is indeed infested.


Art
http://www.epix.net/~artnpeg
Click to expand...


I found a Trojan Dropper on my in-laws XP box. It had written itself
as notepad.exe in the system 32 folder. After updating her seriously
outdated def files, NAV found it.
I use the bloated System Works 2003...mainly cause I've used Norton
Utilities since the old DOS floppy days.....
I use Kaspersky on one of my other boxes. It did find a virus in a zip
and Rar'd file that NAV missed....:)

bLB
=======================================================
Free video ID apps

MpegProperties
http://www.medialab.se/mpgprop_e.html

GSpot
http://www.headbands.com/gspot/

MovieID
http://www.geocities.com/cplarosa/movieid/
 
F

/* frank */

Dopo dura riflessione, buzz Light Beer ha scritto :
I use Kaspersky on one of my other boxes. It did find a virus in a zip
and Rar'd file that NAV missed....:)
Click to expand...

KAV is the best, NAV is the worst (much better any freeware)
 
A

all4you.dk

A user I have been helping discovered a Trojan in a freeware MP3 to
WAV converter named ABLEMP3.EXE from this site:

http://www.all4you.dk/FreewareWorld/links.php

It's called Trojan.Dropper.Small.GT by KAV and it's in the file named
WU1345RD.EXE located in \temp\data\app\0\temp
Click to expand...

Please be carefull what you write!
There is NO infected files on the link you name.

FWT is a link site!

If there is a program infected, that we link to, plese name te exact name of
the program and we will stop linking to the program.

But please stop telling people that the is an infected progran ON the FWT -
we don't have programs for download.!

Jan Langholm
Webmaster and founder at FWT
 
N

null

Please be carefull what you write!
There is NO infected files on the link you name.

FWT is a link site!

If there is a program infected, that we link to, plese name te exact name of
the program and we will stop linking to the program.

But please stop telling people that the is an infected progran ON the FWT -
we don't have programs for download.!

Jan Langholm
Webmaster and founder at FWT
Click to expand...

Sorry if you don't offer programs for download. I was told by the user
that he downloaded the Trojanized install file from your site.

Heres a list of web sites I found that do have the download:

http://www.hitsquad.com/smm/programs/AbleConverter/download.shtml
http://www.guitar.sk/mp3_ogg_converter.htm
http://www.sharewarejunction.com/download-19906-2.htm
http://www.zdnet.fr/telecharger/windows/fiche/telecharger/0,39033957,39080029s,00.htm

In every case, I downloaded the ABLEMP3.EXE install file and in every
case it contained the Trojanized file named WU1345RD.EXE and every
case that file was infested. I've written to the software vendor
informing them of the problem but haven't yet heard from them. So I
don't yet know at what point the Trojanized file was inserted and
bundled with the software package.

If you or anyone have need for doing any checking, both BitDefender
and KAV can scan the install SFX CAB file and they will alert.
Otherwise, the files from the install SFX CAB can be extracted to a
temp folder by Power Archiver and the like. Then a number of av
scanners will alert when scanning WU1345RD.EXE, including F-Prot,
McAfee, AntiVir, Clamav, and NOD32.


Art
http://www.epix.net/~artnpeg
 
M

monkeyman

A user I have been helping discovered a Trojan in a freeware MP3 to
WAV converter named ABLEMP3.EXE from this site:

http://www.all4you.dk/FreewareWorld/links.php

It's called Trojan.Dropper.Small.GT by KAV and it's in the file named
WU1345RD.EXE located in \temp\data\app\0\temp

Most av scanners won't find it when scanning the install file since
they are incapable of scanning within the CAB archive within the SFX.
This particular one can have its files extracted first to a temp
folder using Power Archiver (or whatever), and then the files scanned
on-demand. When the culprit WU1345RD.EXE files is this exposed for
scanning, several av will then alert. I've also confirmed through
contact with Kaspersky that the file is indeed infested.


Art
http://www.epix.net/~artnpeg
Click to expand...

The file WU1345RD.EXE is not a Trojan. What it does is delete the
install files which are extracted to /Temp after setup is complete and
it is not even present on the system after install because it deletes
itself. However, Able MP3 installs more spyware than you can shake a
stick at so I wouldn't recommend installing it in any case.
 
N

null

The file WU1345RD.EXE is not a Trojan. What it does is delete the
install files which are extracted to /Temp after setup is complete and
it is not even present on the system after install because it deletes
itself. However, Able MP3 installs more spyware than you can shake a
stick at so I wouldn't recommend installing it in any case.
Click to expand...

Well, expert virus analysts disagree with you about WU1345RD.EXE not
being a Trojan. So do a whole slew of antivirus scanners that alert on
the file. Since it's strictly a downloader Trojan, maybe its function
is to d/l the spyware you refer to before it erases itself. The user I
was helping didn't mention being hit with a bunch of spyware after
doing the install. I'll have to ask him about that. It was puzzling
that the file disappeared after the installation. So this is making
more sense to me now. It does its dirty deed and erases itself :)


Art
http://www.epix.net/~artnpeg
 
M

monkeyman

Well, expert virus analysts disagree with you about WU1345RD.EXE not
being a Trojan. So do a whole slew of antivirus scanners that alert on
the file. Since it's strictly a downloader Trojan, maybe its function
is to d/l the spyware you refer to before it erases itself. The user I
was helping didn't mention being hit with a bunch of spyware after
doing the install. I'll have to ask him about that. It was puzzling
that the file disappeared after the installation. So this is making
more sense to me now. It does its dirty deed and erases itself :)


Art
http://www.epix.net/~artnpeg
Click to expand...

Yes, that would seem logical. But, for a program to be a Trojan it
must stay in memory and open a "backdoor" to your system. It may be
any number of things but, a Trojan it is not.
 
N

null

Yes, that would seem logical. But, for a program to be a Trojan it
must stay in memory and open a "backdoor" to your system.
Click to expand...

Wrong. A Trojan is simply any software that does something the user
wouldn't approve of if he knew about it. It does something
unadvertised or clandestine ... behind the user's back, so to speak.

BTW, I ran the Trojaned file WU1345RD.EXE out of curiosty. It intalls
the file ATPartners.DLL in the systems folder which is alerted on as
TrojanDownloader.Win32.Rameh.C by KAV. And it installs three registery
items each under what Spybot finds as VX2E and eAcceleration.

So you were right about the spyware installation aspect but wrong
about WU1345RD.EXE in more ways than one :) A Trojan it is very
indeedy!!!


Art
http://www.epix.net/~artnpeg
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

On demand scanning issues 19
FWT Newsletter - Weekly - October 18, 2004 0
FWT Newsletter - Weekly - September 6, 2004 1
"FWT Newsletter - Weekly - August 30, 2004 6
FWT Newsletter - Weekly - October 11, 2004 0
FWT Newsletter - Weekly - November 1, 2004 0
FWT Newsletter - Weekly - September 13, 2004 1
FWT Newsletter - Weekly - October 25, 2004 8

Top