Tuesday, August 4, 2009

Orbit Downloader 2.8 & McAfee SiteAdvisor Domain Web Safety Ratings

Changes in Orbit Downloader 2.8.15 ( Aug 4, 2009):
* Fix: some bugs may cause IE crash by Grabpro
* Fix: some bugs may cause Grab++ crash

Known issues:

someone did send the download link to McAfee site advisor team. We reported about Orbits behaviors to manual edit and change it after extracting the installer instead of running setup.
Webbrowser Default search + Default start page getting changed when ran setup - Hijacked, several other windows registry are added but not needed to run the program - manual add to the registry the browser integration menu entries if need, Addons to different web browsers if installed do manually from extracted hex edited installer files, tracking Cookie @kontera won't be if hexedit the programs single files (url's inside the files binaries), check with pe identifier first if files / program components are compressed/protected, if so unpack it.
regsvr the bho, hexedit remaining url's as shown in the analysis. By ASPack 'ed exe/dll's (see exeinfoPE) try to unpack with ASPack unpacker 1.13 by PE_Kill - Abstersiver.exe, by ASProtect run stripperX old/new version.

This with SiteAdvisors Program Test Protocol is the Instruction to make a Clean Orbit Downloader on your PC.

You can easy do a batch file which puts only needed registry keys to the windows registry and register the bho together with hex edited single program files into a rar sfx or 7zip sfx file [simple extract/install batch]. Inno Setup is easy to operate and can be used to do a new clean setup with this freeware program to share.

See Details from: 7. April 2009:
Download link always the same orbitdownloadersetup.exe see > URL of the download

McAfee Site Advisor confirms the program behaviors and flag pages/Domains which links to the download as YELLOW WARNING DOMAIN/URL ALERT marked!

McAfee Domain Web safety + connected yahoo search engine safety index Domains on linked URL report:

Web Safety Ratings from McAfee SiteAdvisor
How does it modify my system?
* The following programs were registered in our Add/Remove Programs:
Orbit Downloader
* Our browser home page was modified to be:
* Buttons, toolbars, or other modifications were made to our browser.
* The following icons were added to our desktop:
* The following programs were set to run everytime our system is started:
c:\documents and settings\all users\start menu\programs\startup\orbit.lnk

The following modifications to the system registry were detected:
Network activity
When we installed and ran orbitdownloadersetup.exe, the following network servers were contacted. // = P2P service via DHT entry // = Web browser hijack url

A nightmare for webmasters to publish the program as is. Two Top level domains from our admins each was exactly after prompt removing the links for 10 Months long starred by McAfee. Several eMails to them service without success as well Public complains (try forum posting in wildener, mcafee, outpost, security and av firms forums if domain is listed) with corrected Domain and SiteAdvisor conform 'clean' Domain, URL'S include newsfeeds with the removal of the links with possible malicious software. With luck after near a year clean domain siteadvisor shows the domain green again to its user.

Installers from some eMule Mods like eChanblardNext (ads in embedded webbrowser feature), Installers from BT Software BitComet localized installers, BS with Chinese Search engine Toolbars/Toolbar downloader (older VC), Yandex Russian Search Toolbar have like English Ask Toolbar, Yahoo, Google Custom search with Ads embedded or as a (search) Toolbar downloader (uTorrent, Frostwire Windows) in them installer setup. Web browsers have by default possible unwanted search engines in setups such as Ask, Amazon, Ebay,...

...same as by most free Download managers for example FlashGet official.
Orbit Downloader isn't bad if the user follow the instructions and have good knowledge about software just like Browsing the web safe and secure. Today are just everywhere Ads.

No comments:

Post a Comment