25 May 2009

eMule 0.49c ZZ-R V2.4 {false positive}

51 comments

ZZ-R V2.4

Changelog:
==========

25.05.2009
------------------------------------------------

+ AntiMod
+ Remove Bad Blockratio Clients
+ Ban Bad Modstring Scheme
+ AntiMod added to design-settings
+ Clients share visibility added to design-settings
+ Whois IP-Lookup | Web (disable to open your favorite url from menus)
+ Some fixes for Modeless Dialogs

!! Vor dem Start bitte die preferences.ini im config Ordner löschen um Probleme mit den geänderten Limits zu vermeiden !!
!! Before starting, please delete preferences.ini in the config folder to avoid problems with the new limits !!

Addendum 27.05.2009
==================================================
Download: {the included file emule.exe shows by some AV's a false positive alert}
eMule0.49c-ZZ-R_V2.4.rar | Mirror1 | Mirror2

official release
File: eMule0.49c-ZZ-R_V2.4.rar
CRC-32: ec8c26af
MD4: 6d27d3db51b14a67e9fe5cc46f446003
MD5: 3d0e74640741e8beab2fb93d12c23c83
SHA-1: 7303f6c3e2422c14e03ad7052ed3a6af4fe6ba2a

emule.exe
File: emule.exe
CRC-32: fb09fa31
MD4: 9fba8eff0177f0444e6953ed1e6aa7e5
MD5: e1d57c4ebc7349048baf5cfc81820b62
SHA-1: 9ece7e3fca37143e6d9bf58768372cad37813a9a






Update 28.05.2009
The false positive is corrected by Kaspersky AntiVirus with updates from 28.05.2009


F-Secure and Fortinet with latest definition updates from 28.05.2009 False Positive fixed too!
http://virusscan.jotti.org/de/scanresult/0aa52375d5cedf9890758162935766cab45b88a4
http://www.virustotal.com/de/analisis/40d0b7b0489750c32211ceda5e30aee15dd9929a01b119424fac7e838b60390f-1243528638

Users of the following AntiVirus Products may get a FALSE POSITIVE alert:
New K7AntiVirus shows now False Positive

User complain about virus alert

================================================

Today a clean in c++ coded Software Mod not packed or protected with any kind of exe packer/protectors shown a Trojan in some AV's. The Binary File should not be difficult for experts to do a deep analyze and correct the false positive.


... it looks like some AV's reference signatures to Kav and add itto them signature updates by imagebase/name/etc/...

Run any PE Optimizer/Trim on the emule.exe
Get a Picture:

http://www.virustotal.com/fr/analisis/d2f85947c58777c14e6f6e3929444a0eadfad0cba1a912cc7f53764c9b935def-1243412905


Fichier emule.exe reçu le 2009.05.27 08:28:25 (UTC)
Situation actuelle: terminé
Résultat: 0/40 (0.00%)
Formaté Formaté
Impression des résultats Impression des résultats
Antivirus Version Dernière mise à jour Résultat
a-squared 4.0.0.101 2009.05.27 -
AhnLab-V3 5.0.0.2 2009.05.27 -
AntiVir 7.9.0.168 2009.05.27 -
Antiy-AVL 2.0.3.1 2009.05.27 -
Authentium 5.1.2.4 2009.05.27 -
Avast 4.8.1335.0 2009.05.26 -
AVG 8.5.0.339 2009.05.27 -
BitDefender 7.2 2009.05.27 -
CAT-QuickHeal 10.00 2009.05.27 -
ClamAV 0.94.1 2009.05.27 -
Comodo 1203 2009.05.26 -
DrWeb 5.0.0.12182 2009.05.27 -
eSafe 7.0.17.0 2009.05.26 -
eTrust-Vet 31.6.6523 2009.05.27 -
F-Prot 4.4.4.56 2009.05.27 -
F-Secure 8.0.14470.0 2009.05.27 -
Fortinet 3.117.0.0 2009.05.27 -
GData 19 2009.05.27 -
Ikarus T3.1.1.57.0 2009.05.27 -
K7AntiVirus 7.10.745 2009.05.26 -
Kaspersky 7.0.0.125 2009.05.27 -
McAfee 5627 2009.05.26 -
McAfee+Artemis 5627 2009.05.26 -
McAfee-GW-Edition 6.7.6 2009.05.27 -
Microsoft 1.4701 2009.05.27 -
NOD32 4108 2009.05.27 -
Norman 6.01.05 2009.05.26 -
nProtect 2009.1.8.0 2009.05.27 -
Panda 10.0.0.14 2009.05.26 -
PCTools 4.4.2.0 2009.05.21 -
Prevx 3.0 2009.05.27 -
Rising 21.31.21.00 2009.05.27 -
Sophos 4.42.0 2009.05.27 -
Sunbelt 3.2.1858.2 2009.05.27 -
Symantec 1.4.4.12 2009.05.27 -
TheHacker 6.3.4.3.332 2009.05.26 -
TrendMicro 8.950.0.1092 2009.05.27 -
VBA32 3.12.10.6 2009.05.27 -
ViRobot 2009.5.27.1756 2009.05.27 -
VirusBuster 4.6.5.0 2009.05.26 -
Information additionnelle
File size: 5906432 bytes
MD5 : 46882fdd186a19a6915a80ab0e0795fe
SHA1 : ed5f0097339987777579ed2c1158281b229aef77
SHA256: d2f85947c58777c14e6f6e3929444a0eadfad0cba1a912cc7f53764c9b935def
TrID : File type identification
Windows OCX File (71.0%)
Win32 Executable MS Visual C++ (generic) (21.6%)
Win32 Executable Generic (4.9%)
Generic Win/DOS Executable (1.1%)
DOS Executable Generic (1.1%)
ssdeep: 98304:Fm4hC/3YxZTENGuCxMNbiNZn6/r2PmXPcP:FYqtb6/r2uXUP
PEiD : -
RDS : NSRL Reference Data Set
-

only trimmed/optimize PE exe and virus alerts gone.
Prove False Positive:
1. Download any PE Optimizer Keywords: PE Optimizer, Trim PE PETrim ...
for example: Bitsum PE Compact Free Version is ok http://www.bitsum.com/pecompact.shtml, only trim/optimize some with PE Rebuild/Optimizer/... with gui some in command line mod. http://upx.sourceforge.net/
2. on emule.exe apply the pe optimizer and set only trim/optimize (not compress)
3. scan file with virustotal.com : all engines show suddenly false positive is gone

4. a test on some AV's which was shown False Positive on MS C++ compiler output file emule.exe and the one who inspect from beginning the file while scanning already deep enough through the binary and don't shown a false positive:

emule.exe 5.63 MB (trim)
emule.exe 3.13 MB (UPX strip)
emule.exe 5.75 MB (upx decompr. w. PE Tools)

.. suggested to use HashFile to verify talking about the same files by Scan Results such as Hashtab, HashCheck


hmmm... sometimes some Antivirus are wrong. It should be clear to see that here is no Trojan or Virus in this file otherwise it will be in the file if Trim PE / upx and -de upx on emule.exe too. A Virus/Trojan can not get lost with the above procedure.

Further tests with Microsoft Network Monitor 3.3 in combination with Process Monitor v2.04 by monitoring and logging all traffic to/from emule.exe shown no suspicious Online activity other as official eMule 0.49c nor does a second hidden process start with it.

There are no Viruses or Trojans in morph4u mods, I'm sure morph4u cares about his software and users!


Remarks:
- server.met is from peerates service ( http://peerates.net/servers.php ) in the server window to update. The server.met is an older one which was up to date as the mod got coded, it shows later on an Australian P2P Research Server in the list with address ed2k://|server|202.3.54.54|1111|/ ( http://whois.domaintools.com/202.3.54.54 )
- if the above server is bad, the mod have under Options > Update > Security a protection with IP Filter.dat from http://downloads.sourceforge.net/scarangel/ipfilter.rar , you may remove this server from the svr list if it's a questionable ed2k server.

Ref:
Response from the Software Author of the eMule Mod see comments on my Blog also in several AntiVirus and Security Forums:
Kaspersky
Panda
A-Squared
F-secure

AV Firms have been informed to re-analysis and remove the wrong virus alerts, correction of the false positive which shown up by some AV scanners.

Danke

Paint.NET v3.5 Alpha build 3424

0 comments


Changes since version 3.36:

* Now requires (and uses!) .NET Framework 3.5 SP1.
* Significant improvements to the installer. Prerequisites are now handled in a much more user-friendly fashion (it's no longer "go to the Microsoft website and decipher geek talk and download stuff")
* The auto-updater can now download in the background, and then install the update after you've exited Paint.NET. Compare this to v3.36 and earlier that jump in your face and require the download and installation to happen right now, and block you from using the program until it's done!
* New effect: Blurs -> Surface Blur, by Ed Harvey
* New effect: Distort -> Dents, by Ed Harvey
* New effect: Distort -> Crystalize, by Ed Harvey
* The responsiveness of effect dialogs has been greatly improved.
* When zoomed-in, the rendering quality has been substantially improved. http://blog.getpaint.net/2008/12/07/pai ... zoomed-in/
* When zoomed in, it is now much easier to correctly resize or move a selection.
* Improved performance when opening multiple images, especially for systems with only 1 processor. http://blog.getpaint.net/2008/09/11/pai ... humbnails/
* Memory usage has been greatly reduces when more than one image is open.
* The selection outline is no longer animated, which substantially reduces CPU usage. It also uses XOR blending.
* The middle mouse button can now be used to close an image tab
* Improved the Unfocus effect
* Fixed an issue with Gaussian Blur and its treatment of alpha values
* Fixed a crash with the "Units" selector in the toolbar area
* Added a "Utilities" menu, and moved the following menu items there: Check for Updates, Language chooser, and View Plugin Load Errors. For the alpha release, there are also menu items for "Force Crash" and "Perform Full GC" (you'll know what that means if you're a developer -- Otherwise it isn't interesting).
* Installer now has a "Start Paint.NET" checkbox at the end. (On Vista and Win7 with UAC enabled, it will correctly start Paint.NET at non-elevated privilege.)
* Renamed "Grid" to "Pixel Grid", to more accurately describe its functionality.
* The DirectDraw Surface (.DDS) file type now allows you to select the resampling algorithm for auto-generated mip-maps
* Effect plugins now have access to a "Services" property which allows them to properly access certain internal Paint.NET functionality.
* Fixed some very small memory leaks when opening many images
* Russian translation. http://blog.getpaint.net/2009/02/26/rus ... -paintnet/
* A processor that supports SSE is now required (almost all CPU's purchased this decade satisfy this)

Homepage: http://blog.getpaint.net/
BBS: http://paintdotnet.forumer.com/viewtopic.php?f=46&t=30113

Download:
http://www.getpaint.net/files/zip/preview/Paint.NET.3.50.3429.26250.Install.zip

older Builds:
http://www.getpaint.net/files/zip/preview/Paint.NET.3.50.3424.34245.Install.zip | Mirrors Fileshare host: Paint.NET.3.50.3424.34245.Install.zip 4.52 MB | DDL

http://www.getpaint.net/files/zip/preview/Paint.NET.3.50.3424.34110.Install.zip | Mirrors Fileshare host: Paint.NET.3.50.3424.34110.Install.zip 4.52 MB | DDL

Extras: Plugins

SRWare Iron 2.0.178.0

0 comments

SRWare Iron: The browser of the future - based on the free Sourcecode "Chromium" - without any problems at privacy and security

Google's Web browser Chrome thrilled with an extremely fast site rendering, a sleek design and innovative features. But it also gets critic from data protection specialists , for reasons such as creating a unique user ID or the submission of entries to Google to generate suggestions. SRWare Iron is a real alternative. The browser is based on the Chromium-source and offers the same features as Chrome - but without the critical points that the privacy concern.

We could therefore create a browser with which you can now use the innovative features without worrying about your privacy.

We want our users to participate in our work and make the browser free to download under the name "SRWare Iron" into the net.

What does Iron makes different? Read here:
http://www.srware.net/en/software_srware_iron_chrome_vs_iron.php

Changelog:
17.05.2009: New Iron-Release: 2.0.178.0

You can now download a new Iron Release based on Chromium 2.0.178.0.
Fixed are a lot of Bugs - e.g. at Incognito Modus, at the Downloadmanager and at lot of other things. Also speed and stability are significant better. We also updated the Adblocker.


12.03.2009: New Iron-Release: 2.0.168.0

released a new Iron based on Chromium 2.0.168.0. There were updates to Webkit and the Javascript Engine V8, so the new Iron version should be significant faster. Additionally we improved the the adblocker.


To have also updated the adbock.ini is, which you can get here: http://www.srware.net/downloads/adblock.ini
Themes can be downloaded e.g. from www.chrome-themes.blogspot.com.
Iron is free and OpenSource. You can get it here:
http://www.srware.net/en/software_srware_iron_download.php

Portable
http://www.srware.net/downloads/IronPortable.zip

Installer
http://www.srware.net/downloads/srware_iron.exe

Filedate: 17.05.09
Version: 2.0.178.0


Homepage: http://www.srware.net/en/software_srware_iron_news.php

*****

0 comments

diablo2oo2's Universal Patcher dUP 2.20 Beta 3

1 comments
diablo2oo2's Universal Patcher [dUP]
************************************
Version: 2.20

Features:
-multiple file patcher
-create Offset and Search&Replace patch/loader
-compare files (RawOffset and VirtualAddress) with different filesize
-text patcher
-registry patcher, also for loaders
-attach files to patcher
-get filepaths from registry
-usage of CRC32 and filesize checks
-patching packed files
-compress patcher with your favorite packer
-saving projects
-use custom skin in your patcher
-add music (Tracker Modules: xm,mod,it,s3m,mtm,umx,v2m,ahx,sid) to patcher
-multilanguage support
-and many more...


Version History
---------------
[2.20]
-added wildcard support for textpatch module
-windowresize bugs fixed
-minimize patcherwindow with rightmouseclick
-added new "event" module for patcher
-bugfixes in textpatch module

Homepage: http://diablo2oo2.di.funpic.de/
BBS: http://mp2kforum.mp.funpic.de/index.php#3

Download:
http://diablo2oo2.di.funpic.de/stuff/dup2.beta.rar
Mirror: dup2.beta.rar 184.32 KB

24 May 2009

emule.exe Mods and BT Software safety scan @sharereactor.ru




I ensure this page does not have any Trojans or Virus in Mods. Every single Mod have been scanned with Virustotal.com. If an exepacker/protector have been found which can be suspicious signs of hiding a kind of Trojan in c++ coded software, unpacking tips and remarks are published as well.
Leecher mods exist since ever it doesn't mean any bad. Some mods are performed to release the full power of upload speed not only download (no limit in sharing partfiles by powerrelease etc...).

If you found any form of possible Trojan, Virus please click contact us link and we will check it instantly and try to unpacking for deep analysis of the pe (exe, dll) files.

Up to now known suspicious Mods, done with exe protectors are:
- Early Versions of all Applejuice Mods (shown false positive after unpacking) include IL reverse engineered AJ mods // Shows the exe protector caused false positive
- eMule eXcalibur
- eMule BigBan / eMule PRO (Protector: Obsidium)
- 3 or 4 minor Board mods (the links are removed)

Category others (no exe protector/packer, but malicious functions):
- Newer eMule Applejuice Mod Versions // Some Tracking Cookies download automatically from the embedded Mod Webbrowser and collect user data (info for Advertiser only?), Embedded Ads scripts/codes collect user info.
- Some VeryCD mods // patch (makes changes) without user interrupt on a Windows system file tcpip.sys connection limit + installs a BHO as soon emule.exe executed.
- some eMule (mods) Installers (we never publish installer versions). // Toolbars and Ads can be installed with it. Our Advice: unpack the installer with uniextract than take just the application .exe, delete 'unknown' rest content.

If be not more sure how to deal with 'unknown' binaries use tools like PE identifier and scan exe/dll's before executing any new files. My suggestion use Exeinfo PE from A.S.L. which can as well show some embedded url's in files. Test file to open in PE Explorer if this fails, it's packed and or pe protected as in shareware and hacked software used.
Another sign, eMule.exe is usually above 5 MB in size, not many get it in real below 5 mb by compiling. Test emule.exe files in sizes smaller than 5.03 MB and bigger as 6.7 MB.

Submit a comment under the topics so that people can do an eye on the file.


( packer: Armadillo 6.0x (exe) 32bit / MS c++ v8 fake pe signature , unpack: ollydbg script?! - it's Not C++ v8! )



But after I found this story on Shareactor about my page that I not carefully scan emule mods for trojans, viruses before publishing, which get not more out of my brain in combination with Trojans. I ask me what about the most wide spread eMule mod Applejuice. Up to the latest Version with autostart the embedded Webbroser and Ads tracking cookie. As soon the mod start the tracing cookie is active. We all know click-streaming and the way cookies can behave. 3 and more different Advertiser Companies in the back of thousands of users of this Mod. The Mod is published in the public since years in its actual Versions on the biggest traffic sites such as: chip.eu , www.freeware-base.de , chip.asia , chip.de , hundreds maybe thousands more... http://www.google.com/search?q=emule+applejuice ( Google alone shows 41.800 Search results for emule applejuice. Yahoo Search 99,600 results for emule applejuice, another 19.500 by Live Search )
Applejuice Mod have all Xtreme features + tons of Leecher features. With the right setting undetectable. More than 40.000 Downloads per Version on just a few high traffic Software sites on Toplevel domains in all possible Languages.

Archive