| View previous topic :: View next topic |
| Author |
Message |
kao321
Warrior
Joined: 26 May 2006
Last Visit: 14 Dec 2007
Posts: 183
|
 Posted: Sun Nov 05, 2006 1:48 pm Post subject: Kiwi Alpha |
 |
|
At the CNET Downloads website, it recommends this product:
Kiwi Alpha
But according to many websites, it is infected. Any reason why that they still have it on there? Or is it just that Kiwi alpha is not infected anymore?
Thanks.  |
|
| Back to top |
|
 |
goldengreek
Warrior
Joined: 29 May 2006
Last Visit: 06 Feb 2010
Posts: 275
Location: Chicago
|
| Posted: Sun Nov 05, 2006 5:16 pm Post subject: |
|
|
IT is the worst p2p app there is, in my opinoin.  It will give your spyware arsenal one heck of a workout! But, I don't think we are allowed to talk about p2p apps here. But I hope it is ok, as long as we don't promote them. So, do to the forum rules, I will not recommend one to you. |
|
| Back to top |
|
|
MysteryFCM
Malware Expert
Joined: 28 Aug 2004
Last Visit: 01 Feb 2010
Posts: 828
Location: Tyne & Wear, UK
|
| Posted: Mon Nov 20, 2006 2:09 pm Post subject: |
|
|
Kiwi Alpha, according to an extraction of it's current installation file, installs WhenU/SaveNow and Relevant Knowledge (aka Win32/Adware.Relevant)
| Quote: |
[Files]
Source: "embedded\uninstall.exe"; DestDir: "embedded";
Source: "SavenowPanelSave.bmp"; Flags: dontcopy <<<--- WhenU/SaveNow
Source: "RelevantEula.rtf"; Flags: dontcopy <<<---- Adware.Relevant
Source: "RelevantKnowledgeBanner.bmp"; Flags: dontcopy <<<---- Adware.Relevant
Source: "{app}\KiwiAlpha.exe"; DestDir: "{app}";
Source: "{app}\Tutorial.lnk"; DestDir: "{app}";
Source: "{app}\tcpip_patcher.sys"; DestDir: "{app}";
Source: "{sys}\GnucDNA.dll"; DestDir: "{sys}"; Flags: regserver sharedfile
Source: "{app}\Data\defaultcache.net"; DestDir: "{app}\Data";
Source: "{app}\Data\defaultultracache.net"; DestDir: "{app}\Data";
Source: "{app}\Data\defaultwebcache.net"; DestDir: "{app}\Data";
Source: "{app}\Data\MediaFiles.dat"; DestDir: "{app}\Data";
Source: "{app}\Data\MediaFiles.idx"; DestDir: "{app}\Data";
Source: "{app}\Meta\application.xml"; DestDir: "{app}\Meta";
Source: "{app}\Meta\application.xsd"; DestDir: "{app}\Meta";
Source: "{app}\Meta\audio.xml"; DestDir: "{app}\Meta";
Source: "{app}\Meta\audio.xsd"; DestDir: "{app}\Meta";
Source: "{app}\Meta\document.xml"; DestDir: "{app}\Meta";
Source: "{app}\Meta\document.xsd"; DestDir: "{app}\Meta";
Source: "{app}\Meta\image.xml"; DestDir: "{app}\Meta";
Source: "{app}\Meta\image.xsd"; DestDir: "{app}\Meta";
Source: "{app}\Meta\rom.xml"; DestDir: "{app}\Meta";
Source: "{app}\Meta\rom.xsd"; DestDir: "{app}\Meta";
Source: "{app}\Meta\video.xml"; DestDir: "{app}\Meta";
Source: "{app}\Meta\video.xsd"; DestDir: "{app}\Meta";
Source: "{sys}\rkinstaller.exe"; DestDir: "{sys}"; Check: "CheckOSSProxy"; Flags: uninsneveruninstall ignoreversion <<<---- Adware.Relevant
Source: "{app}\Partner\NPSSoftware_WhenUSaveNow_InstallerInst.exe"; DestDir: "{app}\Partner"; Flags: ignoreversion <<<--- WhenU/SaveNow
Source: "{sys}\siminstwiz.dll"; DestDir: "{sys}"; Flags: uninsneveruninstall deleteafterinstall ignoreversion
Source: "{sys}\Dummy.txt"; DestDir: "{sys}"; Check: "CheckAdware";
Source: "embedded\regsvr.exe"; DestDir: "embedded"; Flags: uninsneveruninstall
Source: "embedded\License.txt"; DestDir: "embedded";
Source: "embedded\CompiledCode.bin"; DestDir: "embedded";
Source: "embedded\WizardImage.bmp"; DestDir: "embedded";
Source: "embedded\WizardSmallImage.bmp"; DestDir: "embedded";
[Run]
Filename: "{sys}\rkinstaller.exe"; Parameters: "-c:119"; Check: "CheckOSSProxy"; <<<---- Adware.Relevant
Filename: "{app}\Partner\NPSSoftware_WhenUSaveNow_InstallerInst.exe"; Parameters: "/cfg:FIND040601"; <<<--- WhenU/SaveNow |
Though it doesn't say so, it also includes siminstwiz.dll which according to Sunbelt, is a trojan downloader.
http://research.sunbelt-software.com/threatdisplay.aspx?name=Trojan-Downloader.AdMSI&threatid=42033
... though Jotti doesn't seem to agree.
Sandbox analysis of the setup file is at;
http://research.sunbelt-software.com/ViewMalware.aspx?id=7019
_________________
Regards
Steven Burn
Ur I.T. Mate Group / hpHosts
it-mate.co.uk / hosts-file.net |
|
| Back to top |
|
|
Clif_Notes
Newbie
Joined: 15 Sep 2004
Last Visit: 20 Nov 2006
Posts: 4
|
| Posted: Mon Nov 20, 2006 9:42 pm Post subject: |
|
|
Thanks for the tip MysteryFCM.
I'm not very good at analyzing stuff like this, but I was able to satisfy my own curiosity. I went to Download.com and tried it.
I did take a few precautions ...
http://freewarewiki.com/KiwiAlpha
Advice is always appreciated.
Clif
http://freewarewiki.com |
|
| Back to top |
|
|
MysteryFCM
Malware Expert
Joined: 28 Aug 2004
Last Visit: 01 Feb 2010
Posts: 828
Location: Tyne & Wear, UK
|
| Posted: Sun May 13, 2007 6:03 pm Post subject: |
|
|
Just re-tested this and it's still bundling this rubbish;
http://temerc.com/phpBB2/viewtopic.php?t=3413
_________________
Regards
Steven Burn
Ur I.T. Mate Group / hpHosts
it-mate.co.uk / hosts-file.net |
|
| Back to top |
|
|
MysteryFCM
Malware Expert
Joined: 28 Aug 2004
Last Visit: 01 Feb 2010
Posts: 828
Location: Tyne & Wear, UK
|
|
| Back to top |
|
|
tripkill201
Warrior
Joined: 24 Jun 2007
Last Visit: 23 Feb 2008
Posts: 181
Location: Approximately 2.3698 billion light years away.
|
| Posted: Sat Nov 17, 2007 2:28 pm Post subject: |
|
|
I've never really trusted CNET, ever since I left. Way too much advertising. A little over a year ago, I used to use GameSpot, tv.com, download.com, and FilmSpot. And those used to be the only websites I would visit, really. I eventually began to scan every night on my computer with Spybot, turning up over 70 different tracking cookies. And that's really a serious number. I even got a SystemDoctor2006 drive-by download once while on tv.com. I totally abandoned CNET about August, due to multiple reasons.
EDIT: Also, I know the people on download.com don't really do a good job of testing anything for spyware. Especially if they advertise p2p programs on their site.
_________________
The stakes are immense, the task colossal, the time is short. But we may hope — we must hope — that man’s own creation, man’s own genius, will not destroy him. -Albert Einstein |
|
| Back to top |
|
|
MysteryFCM
Malware Expert
Joined: 28 Aug 2004
Last Visit: 01 Feb 2010
Posts: 828
Location: Tyne & Wear, UK
|
| Posted: Sun Nov 18, 2007 4:39 pm Post subject: |
|
|
Couple years old, but I'd not seen it before so thought I'd add it for historical clarity;
http://www.spywarewarrior.com/adw2005/adw2005_3.htm
_________________
Regards
Steven Burn
Ur I.T. Mate Group / hpHosts
it-mate.co.uk / hosts-file.net |
|
| Back to top |
|
|
|
