Shoutbox

Dodgy Downloads - Printable Version

-Shoutbox (https://shoutbox.menthix.net)
+-- Forum: MsgHelp Archive (/forumdisplay.php?fid=58)
+--- Forum: General (/forumdisplay.php?fid=11)
+---- Forum: Forum & Website (/forumdisplay.php?fid=13)
+----- Thread: Dodgy Downloads (/showthread.php?tid=29087)

Dodgy Downloads by GiantSpider on 07-25-2004 at 01:47 PM

Today on irc someone came in with a problem with installing Plus! Me and Sunshine went to work and found out it was a virus. When i downloaded Plus! From the site and from Simtel I got this.

[Image: attachment.php?pid=282122]

Now the 3-02 version i got from the site and the .zip I got from Simtel. Sunshine scanned and found no virus' but it is weird no?

EDIT: Both Files are 3.01.94


RE: Dodgy Downloads by GiantSpider on 07-25-2004 at 02:05 PM

quote:
Originally posted by Stigmata
simtel like to include there own files
Care to explain?
RE: Dodgy Downloads by GiantSpider on 07-25-2004 at 02:33 PM

Well the only file in the .zip was MsgPlus!.exe


RE: Dodgy Downloads by GiantSpider on 07-25-2004 at 02:39 PM

You betcha


RE: Dodgy Downloads by GiantSpider on 07-25-2004 at 02:43 PM

rar a .zip?


RE: Dodgy Downloads by CookieRevised on 07-25-2004 at 02:48 PM

Errmmm, Stigmata:
1) the files on Simtel are exactly the same as the one yo find on Patchou's server. The only thing that simtel does is to zip them, nothing more...
2) The point in being a mirrorsite is that they do not alter any of the files they host!
3) You can't hide a file inside a zipfile
4) "rar the file, then using winrar to unrar it it will show u everything inside  have a check" ... that makes absolutely no sense...


GiantSpider has send the file to me...

Size:
Original Plus! 3.01.94: 3.497.984 bytes
Infected Plus! 3.01.94: 3.502.080 bytes (=4096 bytes bigger)

TimeDateStamp: (this is not the timedatestamp that you'll see in windows, but this is the timedatestamp from when the exe file was actually made; it is found inside the exe-header itself)
Original Plus! 3.01.94: 2/6/2004 22:29:47
Infected Plus! 3.01.94: 24/7/2004 22:31:36 (=yesterday!)

The resources (aka setupfiles etc...) inside are the same

Remarks:
It is very strange that the file was downloaded at an official source while the file was named MsgPlus-302.exe.

Note that this happend only to GiantSpider and the person on IRC!

As well as GiantSpider as the person who came on IRC got this file from downloading it from an official source.

The thing that popuped up after installing was "Bad Elmo, u need to install this with the parental program"...

A scan of the file resulted in nothing, no detected infection. (at least as far as I can tell with a cheap/free scanner :p)

Although I can't find anything (at this moment after a quick search) related to a virus, this has been reported before with other people (and other files):
http://club.cdfreaks.com/showthread.php?t=84510
http://www.pchelper.nl/forum/index.php?showtopic=1718
http://www.talkroot.com/archive/topic/14496-1.html

Also, together with the "bad elmo"-talk, there is also talk about a related MP3_plugin.exe (someone says this is the source of the problem), and inside that file I find "http://www.lop.com". Logic, if you consider that someone else says that that file is the LOP installer. But why the strange name then?).. :/

Conclussion:
* Or both are infected with some kind of spyware/virus/trojan/whataver (but it is strange that this only happend once and only with Plus! downloading)
* Something is fishy with the sponsor-program (LOP acting up again?)

Note:
Although it seems that it is some malicious thing called "Bad Elmo", it is realy frustrating that you can't find ANYTHING about it on the net. The only things you find are "it is spyware", "it is a virus", etc... but nobody or no company reports about what it ACTUALY is and what it EXACTLY does....


RE: Dodgy Downloads by Kryptonate on 07-25-2004 at 03:01 PM

I just downloaded it from Simtel and there was nothing in it.


RE: Dodgy Downloads by GiantSpider on 07-25-2004 at 03:02 PM

Nothing as in empty?


RE: Dodgy Downloads by CookieRevised on 07-25-2004 at 03:15 PM

Kryptonate means "nothing" as in "nothing wrong with the file"....guess not :/

I highly doubt anybody else will get the MsgPlus-302.exe file, see my previous post...


RE: Dodgy Downloads by Kryptonate on 07-25-2004 at 03:17 PM

quote:
Originally posted by GiantSpider
Nothing as in empty?
yes, 0 kb.

Tried again to download it from Simtel but I couldn't access the page anylonger, perhaps they're looking into it.

quote:
Originally posted by CookieRevised
Kryptonate means "nothing" as in "nothing wrong with the file"....
I highly doubt anybody else will get the MsgPlus-302.exe file, see my previous post...
no I don't :p
RE: Dodgy Downloads by CookieRevised on 07-25-2004 at 03:19 PM

wow... straaaange... of all the people I just asked now to download Plus! from Simtel (to check), they all got the same official untampered file...

anyways, GiantSpider, if you've run the 302-file, can you do a scan with Spybot S&D and attach the log in a post here?


RE: Dodgy Downloads by Kryptonate on 07-25-2004 at 03:24 PM

quote:
Originally posted by CookieRevised
wow... straaaange........
yeah, my first impresson too, so I thought there could have been something that went wrong with the download so I wanted to try again. I clicked the link on http://www.msgplus.net/download.php and was directed to Simtel.net, where I couldn't see anything about Plus!, I got this page. I deleted the cookies of Simtel.net but I still get the same.
RE: Dodgy Downloads by CookieRevised on 07-25-2004 at 03:46 PM

Actually that page looks "right" in the sense that it has a broken layout in your browser though....

But look how it should actualy look (see attachment)...
As you can see, everything is similar, except the layout differs a bit. Maybe this is because it couldn't load the part where the actual listings of the downloads are... can you try again?


RE: Dodgy Downloads by Kryptonate on 07-25-2004 at 03:53 PM

hm, looks like that :) :$

I tried downloading from the Belgian mirror and the Canadian one.
Belgian one:
0kb
Canadian one:
packed size = 3.434.050
total size = 3.497.984


RE: Dodgy Downloads by Sunshine on 07-25-2004 at 03:55 PM

Hmm i done some dl-ing myself an noticed a slight diff in the size:

msgplus-301.exe dl on 17-7-2004  3416kb
(edit: hmm dodgy date, i dont recall re-dl it)
msgplus-301.exe dl today  3420kb
(both times dl-ed from www.msgplus.net)

have there been changes since i dl plus!3 wich will explain this diff?

Also i scanned the files (received from GS an my own dl's) with Antivir Guard an Spybot S&D an it came up with nothing ( i haven't executed the files)

Edit: dl's from Simtel can vary cuz the dl come from mirrors not from the actual site....talk about lookin for a needle in a haystack :/ Also the person comin onto IRC today dl from msgplus.net (we told him to redownload).


RE: Dodgy Downloads by Kryptonate on 07-25-2004 at 03:56 PM

quote:
Originally posted by CookieRevised
Infected Plus! 3.01.94: 3.502.080 bytes (=4096 bytes bigger)
just downloaded this one from msgplus.net

PC-Cillin doesn't come up with anything
RE: Dodgy Downloads by CookieRevised on 07-25-2004 at 04:20 PM

quote:
Originally posted by Kryptonate
I tried downloading from the Belgian mirror and the Canadian one.
Belgian one:
0kb
Yup, the Belgium mirror seems to be broken....
quote:
Originally posted by Sunshine
Edit: dl's from Simtel can vary cuz the dl come from mirrors not from the actual site....
No... although the zipfile can vary cause of different compression rates used (but this is very unlikely), the actual program inside it, in this case Plus!, MUST be exactly the same as the main download.
What CAN happen is that a mirror doesn't have the latest download, but still then that "older" download will be exactly, byte by byte, the same as the (old) main download...



quote:
Originally posted by Sunshine
Hmm i done some dl-ing myself an noticed a slight diff in the size:
msgplus-301.exe dl on 17-7-2004  3416kb
msgplus-301.exe dl today  3420kb
(both times dl-ed from www.msgplus.net)

quote:
Originally posted by Kryptonate
quote:
Originally posted by CookieRevised
Infected Plus! 3.01.94: 3.502.080 bytes (=4096 bytes bigger)
just downloaded this one from msgplus.net

Confirmed... I also just downloaded that file!!!!!!

conclussion:
* Patchou's server is infected...
* The whole "Elmo"-thing was local and the person on IRC was infected. and it is all a coincidence together with:
* Patchou has updated "something" (but I find it very strange that it is exactly 4096 bytes bigger => mostly a sign of viri)

EDIT:
* "Bad Elmo" seems indeed sponsor related and apparently Patchou has updated the setup package with an updated sponsorpackage....
(but this still doesn't explain the name of the file that GiantSpider got)
RE: Dodgy Downloads by GiantSpider on 07-25-2004 at 07:58 PM

Thanx alot everyone for your help and research into this. Does Patchou know about this. I think this could be a thing for him to look into.

MsgPlus-302 = 3,502,080 bytes (From Official Site)
MsgPlus-301 = 3,497,984 bytes (From Official Site)
MsgPlus-301 = 3,502,080 bytes (From Simtel)

All of the above are the same file!


RE: Dodgy Downloads by CookieRevised on 07-25-2004 at 08:19 PM

yeah, he proberly knows, he updated the sponsor package (I've been told by trusted people ;))...


RE: Dodgy Downloads by Maniac on 07-25-2004 at 08:52 PM

since when is there a 302? :s It's not even in the download section of the site :s


RE: Dodgy Downloads by GiantSpider on 07-25-2004 at 09:40 PM

There isn't. Look read the goddamn thread mkthx