Thursday, August 16, 2007

FileDownloader V1.24 and all Versions before - Hijack Web Browser UA string!!!

(used by Vanix.Net and others...)

User Agent string like: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.7pre) Gecko/20070815 FileDownloader - Build ID: 2007081504

I did try first to search for a Hijacked LSP to fix it, WinSock fix etc... to point it out here, but the answer is in a replaced prefs.js file in Profile folder by Mozilla Firefox to find.

Thanks to Mr.x from FileDownloader Net (http://filedownloader.net/)

Users of his program called FileDownloader fdn.msi (http://filedownloader.net/fdn_download/download.php)

browse after install the web with branded Webbrowser
Firefox, Internet Explorer and others:

Code snip from file: FDN.exe 1,48 MB (1.553.408 bytes)

10CFD0 4D 6F 7A 69 6C 6C 61 5C 46 69 72 65 66 6F 78 5C Mozilla\Firefox\
10CFE0 50 72 6F 66 69 6C 65 73 5C 00 00 00 FF FF FF FF Profiles\...
10CFF0 03 00 00 00 2A 2E 2A 00 FF FF FF FF 08 00 00 00 ....*.*. ....
10D000 70 72 65 66 73 2E 6A 73 00 00 00 00 FF FF FF FF prefs.js....
10D010 28 00 00 00 4D 6F 7A 69 6C 6C 61 20 46 69 72 65 (...Mozilla Fire
10D020 66 6F 78 5C 64 65 66 61 75 6C 74 73 5C 70 72 65 fox\defaults\pre
10D030 66 5C 66 69 72 65 66 6F 78 2E 6A 73 00 00 00 00 f\firefox.js....
10D040 FF FF FF FF 1F 00 00 00 67 65 6E 65 72 61 6C 2E ....general.
10D050 75 73 65 72 61 67 65 6E 74 2E 65 78 74 72 61 2E useragent.extra.
10D060 66 69 72 65 66 6F 78 00 FF FF FF FF 03 00 00 00 firefox. ....
10D070 22 29 3B 00 FF FF FF FF 04 00 00 00 22 2C 20 22 ");. ....", "
10D080 00 00 00 00 FF FF FF FF 0E 00 00 00 46 69 6C 65 .... ....File
10D090 44 6F 77 6E 6C 6F 61 64 65 72 00 00 FF FF FF FF Downloader..
10D0A0 2E 00 00 00 75 73 65 72 5F 70 72 65 66 28 22 67 ....user_pref("g
10D0B0 65 6E 65 72 61 6C 2E 75 73 65 72 61 67 65 6E 74 eneral.useragent
10D0C0 2E 65 78 74 72 61 2E 66 69 72 65 66 6F 78 22 2C .extra.firefox",
10D0D0 20 22 00 00 FF FF FF FF 12 00 00 00 3B 46 69 6C ".. ....;Fil
10D0E0 65 44 6F 77 6E 6C 6F 61 64 65 72 22 29 3B 00 00 eDownloader");..
10D0F0 FF FF FF FF 3F 00 00 00 75 73 65 72 5F 70 72 65 ?...user_pre
10D100 66 28 22 67 65 6E 65 72 61 6C 2E 75 73 65 72 61 f("general.usera
10D110 67 65 6E 74 2E 65 78 74 72 61 2E 66 69 72 65 66 gent.extra.firef
10D120 6F 78 22 2C 20 22 46 69 6C 65 44 6F 77 6E 6C 6F ox", "FileDownlo
10D130 61 64 65 72 22 29 3B 00 55 8B EC 53 56 57 8B F9 ader");.Uï8SVWï·


Result: Websites such as Web counter, Forums and others means you are a bot. You get for example by a "enhanced" VBulletin board a security Message as well other website scripts as soon you visit.

Looks like this:
Sorry for the inconvenience!
Entschuldigen Sie bitte diese Unannehmlichkeit!
Obviously your access to this site has been suspended by mistake.
Offensichtlich wurde Ihnen der Zugang zu dieser Site fälschlicherweise verweigert.

By solving the arithmetical problem you can visit this website temporarily.
Durch Lösung der Rechenaufgabe können Sie diese WebSite temporär besuchen.

(2 * 5) × (–1) result: =


Please tell us here to remove the lock restriction:
Bitte melden Sie sich hier um die Sperrung aufzuheben:
Complaint Board
Beschwerde Forum


other extensions such as Roboform will be disabled and much more!!!

Solution for Mozilla Webbrowser:

goto Profile folder,
edit prefs.js,
find: user_pref("general.useragent.extra.firefox", "FileDownloader");
delete this line!

duno how in IE (normally used Windows Registry for UA string) and if Opera is concerned with it.
After all IE force me to visit by start this page once: http://en.sergiwa.com/modules/mydownloads/singlefile.php?cid=2&lid=6

Extracted Installer files in attachment: fdn.7z (1006.69 KB)
(don't click the file fdn.msi or FDN.exe if you don't want to edit the "new" UA extension in your webbrowser back to the normal one!!!)


...14h later
after restore Mozilla Webbrowser settings I realize that the Firewall Filter driver have been disabled. Every try to reinstall the firewall failed. Firewall is permanent off in error mod. The legitim Product Activation from some applications include AV subscription (ESET, Agnitum, Kaspersky...) and Windows Genuine Product Key are suddenly invalide. Stolen? The OS is on that system unusable after try to recover cause all backups are injected with it. I cant read binary code before this part above but since 1983 my very first computer Comodore C64 I never seen an application what can do such disaster and destroy Windows unrecoverble.

4 comments:

tunay said...

Hi, excellent site I'm looking for emule rapcom 9.0.2 and emule rapcom l33cher edition, can you find them?

Anonymous said...

This program act very suspicious. I use a virtual machine (ahem, more precisely a sandbox) and once the prog has been installed, i run it and it crashes, leaves my pc untouched.
btw i suggest to NOT USE THIS PROGRAM. Want a dl manager? Use IDM!

Anonymous said...

Don't execute this file!!!
We lost one computer Operating system with it not more to restore cause system restore point is infected as well. It modificate not only Webbrowser UA strings so that all users from this program get traced on every website every counter every webserver log in the very special sign of the browser user agent string plus the ip etc..
Was need to buy new hardware to backup a 500 giga hdd where the now broken OS was.

Anonymous said...

Send them the bill http://filedownloader.net/ whois info and contact should match. We need to install/config the OS and all programs as it was before on a server with 4 workstations again from zero after 'filedownloader' was on one computer installed. The systems was running 4 years long 24h a day without any errors until someone have setup this program, a nightmare. Here the same, Firewall driver and Web browser with net protocols are infected. Windows 2003 svr with windows xp workstations.

Post a Comment