A trojaned crack

Spyware rootkit

Side note. Check this out, this post explains a nice real world demonstration of spyware from crackz.ws done by Eric Howes. Download the infection video here

NOTE - the trojan adobemgr.exe in the article below is very easy to remove, and has no self protection. It can be deleted from Safe Mode, or delete the startup entry, reboot, and then delete the file.

Cracks and keygens - warez have long been a big distribution vector for new spyware, trojans and other malware. Today I grabbed a sample showing up detected as a trojan by a few scanners. As you can see, it is missed by many..

Prince.Of.Persia.2.Warrior.Within.NoDISC.Crack-MiNT.zip...
Old results:

AntiVir No viruses found.
ArcaVir No viruses found.
Avast No viruses found.
AVG Antivirus No viruses found.
BitDefender Trojan.Clicker.VB.JY
ClamAV No viruses found.
Dr.Web Trojan.Click.789
F-Prot Antivirus No viruses found.
Fortinet No viruses found.
Kaspersky Anti-Virus No viruses found.
NOD32 No viruses found.
Norman Virus Control W32/Agent.HLE
UNA No viruses found.
VBA32 No viruses found.

The plot thickens..

What's this ? an additional file - yes this is a trojaned crack. Someone has simply zipped up the crack files and ADDED their own file. So here is an example of what to look out for - the additional file is clearly suspicious:

Ok so they just add a file crack-inf.exe and try to trick you into running it. Pretty easy to avoid right? Note the last modified time of the additional file yet the crack is already archived (RAR).

This looked like a clean file. The three scanners above however are correct and are the only ones detecting this !

Things like this DO happen out there in the real world, and it works. Users want a free game, program and download it. Often they CAN get a clean file, but anyone can take that, add something nasty and torrent it, or send it to warez/crack/keygen sites for distribution!

The next day

New results:

AntiVir No viruses found
ArcaVir No viruses found
Avast No viruses found
AVG Antivirus No viruses found
BitDefender Trojan.Clicker.VB.JY
ClamAV No viruses found
Dr.Web Trojan.Click.789
F-Prot Antivirus No viruses found
Fortinet No viruses found
Kaspersky Anti-Virus No viruses found
NOD32 No viruses found
Norman Virus Control W32/Agent.HLE
UNA No viruses found
VBA32 No viruses found

But THIS is the only bad file, extracted and scanned by itself.

File: adobemgr.exe
MD5 40a3638d8c6b7b044072c22fd314e9df

Scanner results
AntiVir Found Trojan/Agent.HLE
ArcaVir Found Trojan.Clicker.Vb.Jy
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found Trojan.Clicker.VB.JY
ClamAV Found nothing
Dr.Web Found Trojan.Click.789
F-Prot Antivirus Found nothing
Fortinet Found Adware/VB
Kaspersky Anti-Virus Found Trojan-Clicker.Win32.VB.jy
NOD32 Found nothing
Norman Virus Control Found nothing
UNA Found nothing
VBA32 Found Trojan-Clicker.Win32.VB.jy

Much better, but still missed detection by many good AV's. The only missed detection for KAV however, is a NSIS unpack detection - once the installer is run and all files get unpacked, the actual trojan will be produced on disk and detected by realtime protection.

A little more proof that realtime, on access protection is vital. Even the best unpacking and unarchive protection of KAV will miss one sometimes. Rare unless the archive was deliberately modified..

THIS is the scan another 2 days later ! still missed detection, some people must be busy or slow updaters. Disappointing for NOD32 and CLAMAV this time, AVG got it within reasonable time.

File: adobemgr.exe

AntiVir Found Trojan/Agent.HLE
ArcaVir Found Trojan.Clicker.Vb.Jy
Avast Found Win32:Trojano-3001
AVG Antivirus Found Clicker.AKL
BitDefender Found Trojan.Clicker.VB.JY
ClamAV Found nothing
Dr.Web Found Trojan.Click.789
F-Prot Antivirus Found W32/Trojan.ACB
Fortinet Found Adware/VB
Kaspersky Anti-Virus Found Trojan-Clicker.Win32.VB.jy
NOD32 Found nothing
Norman Virus Control Found W32/Adclicker.DX
UNA Found nothing
VBA32 Found Trojan-Clicker.Win32.VB.jy

UPDATE : TrojanHunter now also detects both files as I update this nice scanner. I aim to detect the worst trojans, FAST. Updates will be high priority and virtually daily. The newer versions of Trojan Hunter should be far better and when smaller updates are possible I will update it 2-3 times some days.