06 February 2008

Trojans in uTorrent Mods and BitTorrent (Armadillo) Mods packed?

sb-innovation.desb-innovation.de BitTorrent 6.x SBI Mods (Armadillo 5.x) - http://www.sb-innovation.de
check by some mods outgoing connections / requests activity to program exe's when the bittorrent 6 mod is closed. See firewall log by enable and disabled rule for bittorrent_mods exe's.

Remarks:
Kaspersky, BitDefender have a unpacking engine include for PECompact and Armadillo 4 - 5 also manual unpacking shows the same result in multi_100_seeder and one kind of mod by Bittorrent 6

uTorent seeder x100 Mods (PEcompact ver.2.78a ~2.80 with ADDED DLL INJECTION)
see screenshot:

NEW AV Signature Updates 05.02.2005

BitDefender Internet Security 2008 v11.0.15
Virus Database Date: 06.02.2008
Known Viruses: 979216

Now new av signatures improved. Detect already in inno setup installer: µtorrent 1.7.7 LP_setup.exe and others

AV-Signature + engine and modules hourly updates:
BitDefender Internet Security 2008 v11.0.15 German
Virus Database Date: 06.02.2008
Known Viruses: 979232

The 3th AV def. update today does not more show the above screen but by doing innounp / inno unpack or running setup, one mod utorrent 1.7.x. multi100_seeder.exe found positive Trojan AX patched in the temp folder and by skip also in the unpacked folder.

Software Description Software Version Virus Database Date Known Viruses
BitDefender Internet Security 2008 11.0.15 06.02.2008 979348

-------------------------------------------------------------------------------
Some (packers) are not detected:
new Backdoor

Creates the following files to Windir\Media folder (same as some very old Backdoors but different signatures):
C:\WINDOWS\Media\csrss.exe
C:\WINDOWS\Media\MSWINSCK.OCX

Adds to the value "Shell"="explorer.exe"

"Shell"="explorer.exe" C:\WINDOWS\Media\csrss.exe"
to the registry key:
HKLM\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon

and maybe like the old Backdoor:
"RegWrite"="c:\windows\media\csrss.exe"
to the registry key:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run



After executing it run a "fake" csrss.exe from folder windir\Media in process manager as soon windows starts together with the original \system32 Microsoft Corporation Client Server Runtime Process (csrss.exe) and connect to a webserver.


After removing these files under windir\Media appears :

receive an error message upon startup that reads
No AV, Anti Spyware, Anti Malware Program or Startup Manager Tools ever monitored logon shell:
WinLogon = Explorer.exe for changes
extensions for example :

"Shell"="explorer.exe C:\WINDOWS\Media\csrss.exe"
"Shell"="explorer.exe C:\any application to run with startup test.dll"

21 comments:

Anonymous said...

Looks like its in all seeder multi 100 mods 'code parts' Trojan connect to someone if seeding torrents. Dangerous Brothers

Anonymous said...

there are no virus in the files its only the mode as its packed that results as a virus because the av apps doesnt recognize it right

Anonymous said...

are you sure cause I unpacked / removed the protection fixed IAT etc... and did just a dump but all solutions showing the same as well in clean unpacked status. Is it possible that leecher multi 100 have in the code changes an embedded positive string since the very first source?

Anonymous said...

Kav have an unpacking engine for the latest armadillo and pe compact, bitdefenders engine was come a update this day for the module pe compact 2.8x / inno 5.x with added dll's to the packers. Detection error?

Anonymous said...

is multi_100_seeder different packed as all others? Get Virus alert only by multi100_seeder mods.

Anonymous said...

Anyone can prove that they are clean ? Show me

Anonymous said...
This comment has been removed by a blog administrator.
Anonymous said...

Bittorrent mod phone out from alone.
Check Wireshark logs. http://www.wireshark.org/

Anonymous said...

I don't think seba put trojans in the exe files if not anyone was give him a 'bad' source.

Anonymous said...

Why have it been packed so bad that virus scanner detect trojan??? Why doe it need to be packed?
-------------------------------------
"there are no virus in the files its only the mode as its packed that results as a virus because the av apps doesnt recognize it right"

Anonymous said...

There are no virus or trojan in these mods. Seba and the SBI people only change the original with hexeditors and don't compile it new with a virus in it.
Your screenshot is about sebas utorrent mod why you post the sbi link together with it? Sebas site and the SBI forum are different places...
The problem with bittorrent is a general problem and has nothing to do with the sbi mod. They've created it for people which want use this client. But if there's spy function in it you must find it in the original too and than we should warn all people about this security risk.

Anonymous said...

If the Top 10 AV scanner goes on you know whats wrong. About the 5 others in VirusTotal which almost shows positive, we all know they can be wrong. Scan original scan the mods there are quite different results. 5 BitTorrent Mods and always the x100 seeder mod is infected. I hope this site admin post from the email the unpacked one I did to see the exe protected and unpacked.
They should better use a "more" compatible exe compressor.

Anonymous said...
This comment has been removed by a blog administrator.
Anonymous said...

I can't organize the original mod source but i can rebuild it for you that you can check it, because i know all tools they've used. The sourcefile is from your site...
http://uploaded.to/?id=nwqgpw

Here is the bittorrent_nocomplete_report-seeder _100x mod packed with the same tools like the one in the pack.

http://www.mediafire.com/?fexehrzu9gh

Can you please check it if you've the same results. If you've the same warnings i can upload the unpacked file for you but i can't post the link here.

Anonymous said...

NoCompl_Report-Seeder_Multi-100x is a decent nice backdoor inside. Maybe the Packer patch it in, exe packer crk v possible. Connect to a server in xx. Try run without dl/up (idle) a torrent and see the Wireshark logs.
Put it later on ollyice to see if its w/o Arm too. Compared to original no connection to that server. IP to country database server lookup exclude and the rest of bt/ut.
AV don't give any interrupt but overall the result is horrible:
http://www.virustotal.com/analisis/663ec4d97ab4bcd95d8e6c04d57a2363

Anonymous said...
This comment has been removed by a blog administrator.
Anonymous said...

maybe used the armad. packer from team ... ? ? ?

Anonymous said...

pirated armadillo packer put backdoor by packing in exe and dll by client online ,possible

Version
http://info.prevx.com/aboutprogramtext.asp?PX5=DCF6FA2430E7C54E05ED0D20E0A57C00C9FAE183
http://www.virustotal.com/analisis/65c5758909afd65e0c9366d1f2226d47

cause:
Microsoft Visual C++ ver 5.0/6.0 , not packed !

PEiD: Armadillo v1.71 / wrong -(

Anonymous said...

Thanks for testing the file.
Then the packer must be the problem. I've used this version for packing and to include the splash screen.

SoftwarePassport/Armadillo Protection System v5.0

On their homepage you can download a trialversion for their newest release v5.4.
http://www.siliconrealms.com/

Anonymous said...

Protect my computer and eliminate the bugs and viruses.
When you are searching for a great scan that can help you keep your computer running like new, I would suggest that you visit NOT The FAKE PAGE! Lucky it known and route to zero http://127.0.0.1 Here I found the antispyware solution from Search-and-destroy and it was exactly what I needed to protect my computer and eliminate the bugs and viruses that would make it run slow, freeze up and shut down. Search-and-destroy Antispyware was the answer to my computer bug problems and it was certainly worth every penny I spent to have this great antispyware to protect my PC. Not only does it work great but it cost less than many of the other scans available.

The real website is:
http://www.safer-networking.org
and its freeware!

be in caution this is a fake site http://whois.domaintools.com/search-and-destroy.com

monalisa222 said...

Remove AAV Trojan Patch or Ai Trojan Patch

http://www.tips29.com/2009/01/remove-aav-trojan-patch-or-ai-trojan.htmll

Post a Comment

We would appreciate if you as readers of our blog, show us some feedback by signing up to this site with Friend Connect.
This will encourage us to publish updates in the future.

Archive