Virus Clues

If you are downloading files from a P2P network, then be especially wary of viruses.

One dead giveaway is when a search gives you moderate results, but then you get a few results (usually at the end of the search) that suddenly have hundreds, or even thousands of sources, particularly if those files are of wildly different sizes. What happened, did you get really lucky and manage to find a hidden cache of the file you were looking for? No, those few results that show hundreds or thousands of sources for the file you were searching for are not real, they are viruses that a bad server returns. When you do a search, the servers that are queried return a list of sources for that file that they know of. There are fake servers and virus pits that always respond with a very large number of sources no matter what the file is. They return a large number as bait, and if someone attempts to download the file, they receive one of a number of fakes (possibly even dynamically created), which are infected with viruses and other malware, regardless of what file they were trying to get.

Yet another dead giveaway is when you get a ZIP file that contains three files, an EXE, a DLL, and a TXT, especially if the files have gibberish filenames. This is a common dummy file that virus pits send out which contains an encrypted virus (checking the binary contents looks like it’s not an executable, but it is merely XOR-encrypted and is indeed a virus). What’s interesting about this one is that it usually uses the tag ZWT. ZWT is an actual scene group that does release “legitimate” cracks and such. It is unknown whether the owners of the virus pits that send out fake ZWT-tagged files targeted ZWT on purpose or not, but since it is the only group who’s name is used in the fakes, it may very well be the case.

One more virus-infected fake pattern that is making the rounds on the donkey network is the one where the resulting files contain an NFO file and an EXE. The EXE is the virus, and the NFO contains nothing but a numerical url: eg www.209193.com, www.39520.com, etc. These ones often contain the name of a piece of software or something in the names, and even version numbers to look even more legitimate. However, they don’t usually contain release group names.

As usual, be very wary of anything you download, especially from P2P networks, and in particular when looking for warez. Always check files that you download with at the very least a virus scanner, if not a trojan scanner, worm scanner, rootkit scanner… You can also run them through online scanners such as Jotti’s, Virus.org, and Virustotal.

If everyone kept themselves clean, the whole world would be cleaner overall. If you must pirate, practice safe piracy.