Sunday, May 24, 2009

emule.exe Mods and BT Software safety scan @sharereactor.ru




I ensure this page does not have any Trojans or Virus in Mods. Every single Mod have been scanned with Virustotal.com. If an exepacker/protector have been found which can be suspicious signs of hiding a kind of Trojan in c++ coded software, unpacking tips and remarks are published as well.
Leecher mods exist since ever it doesn't mean any bad. Some mods are performed to release the full power of upload speed not only download (no limit in sharing partfiles by powerrelease etc...).

If you found any form of possible Trojan, Virus please click contact us link and we will check it instantly and try to unpacking for deep analysis of the pe (exe, dll) files.

Up to now known suspicious Mods, done with exe protectors are:
- Early Versions of all Applejuice Mods (shown false positive after unpacking) include IL reverse engineered AJ mods // Shows the exe protector caused false positive
- eMule eXcalibur
- eMule BigBan / eMule PRO (Protector: Obsidium)
- 3 or 4 minor Board mods (the links are removed)

Category others (no exe protector/packer, but malicious functions):
- Newer eMule Applejuice Mod Versions // Some Tracking Cookies download automatically from the embedded Mod Webbrowser and collect user data (info for Advertiser only?), Embedded Ads scripts/codes collect user info.
- Some VeryCD mods // patch (makes changes) without user interrupt on a Windows system file tcpip.sys connection limit + installs a BHO as soon emule.exe executed.
- some eMule (mods) Installers (we never publish installer versions). // Toolbars and Ads can be installed with it. Our Advice: unpack the installer with uniextract than take just the application .exe, delete 'unknown' rest content.

If be not more sure how to deal with 'unknown' binaries use tools like PE identifier and scan exe/dll's before executing any new files. My suggestion use Exeinfo PE from A.S.L. which can as well show some embedded url's in files. Test file to open in PE Explorer if this fails, it's packed and or pe protected as in shareware and hacked software used.
Another sign, eMule.exe is usually above 5 MB in size, not many get it in real below 5 mb by compiling. Test emule.exe files in sizes smaller than 5.03 MB and bigger as 6.7 MB.

Submit a comment under the topics so that people can do an eye on the file.


( packer: Armadillo 6.0x (exe) 32bit / MS c++ v8 fake pe signature , unpack: ollydbg script?! - it's Not C++ v8! )



But after I found this story on Shareactor about my page that I not carefully scan emule mods for trojans, viruses before publishing, which get not more out of my brain in combination with Trojans. I ask me what about the most wide spread eMule mod Applejuice. Up to the latest Version with autostart the embedded Webbroser and Ads tracking cookie. As soon the mod start the tracing cookie is active. We all know click-streaming and the way cookies can behave. 3 and more different Advertiser Companies in the back of thousands of users of this Mod. The Mod is published in the public since years in its actual Versions on the biggest traffic sites such as: chip.eu , www.freeware-base.de , chip.asia , chip.de , hundreds maybe thousands more... http://www.google.com/search?q=emule+applejuice ( Google alone shows 41.800 Search results for emule applejuice. Yahoo Search 99,600 results for emule applejuice, another 19.500 by Live Search )
Applejuice Mod have all Xtreme features + tons of Leecher features. With the right setting undetectable. More than 40.000 Downloads per Version on just a few high traffic Software sites on Toplevel domains in all possible Languages.

5 comments:

Anonymous said...

By publishing patchers (and alike "BIN" changers) - you may be causing modders to pack and / or encrypt their mods ...

IlLusioN said...

its crazy! What do u want to reverse in emule mods without login and hidden disabled features?

Anonymous said...

Fear the same thing as Sharereactor.ru. Anyone from Anti-P2P could post a encrypted Mod which connect in a bad location

Anonymous said...

http://unpacking.narod.ru/armadillo.html

IlLusioN said...

Just post Checksums of the original files! If anyone publish fake splashscreens (change splashscreens) or url's. I publish the original, nobody will download the fake, that's it. No need to encrypt it if there is nothing to hack, no releaser login no any auth.

We did the same mistakes a long time ago with stupid splashscreens after another blog and forums did it (see all dlage mods, look 00de versions, dlage forum leecherclients.org and the one from a wordpress blog). Sorry for that, didn't know enough at that time, never will be happen again to change original mod if there is no Auth login with server check coded and no reassion for it.

Finish close, all crypted client software I removed on my page.

Post a Comment