~ Software that hiddendly ~
~ corrupts, checks or modifies your data ~

         Petit image    Malware
Version March 2001

[The list] by db-cooper (posted by +Tsehp) ~ [addition] by ArthaXerXes

           "But take care when you find your appz, 
            or you'll not gain your just rewardz, 
            your quest will all have been in vain, 
            and you will have to start again"

Ancient websearchers' rhime

This section is interesting for searchers, because many are not aware of the fact that software programs (software operating systems too, for that matter) have purposely being more and more "hidden" from their users (as the growing appearance of "Wizards" and automated installation and de-installation procedures attest) and are more and more using "undocumented" functions and performing "clandestine" activities on user machines.
Such covert activities encompass inter alia:
About the list below: I have received in March 2001 this note from Leo Getz:

Following a newsgroup posting of the url http://www.searchlores.org/boobytra.htm i discovered that the author of the essay has not given proper credit for the actual booby trapped shareware list. I originally compiled the list many many months ago now and semi-regularly post it to usenet & a message board as it gets updated. I would greatly appreciate credit for the list that forms the most part of the essay at the url mentioned above.
The BTS list was originally on my main website but it is now on it's own @ LGbts.cjb.net

cheers, LG

Booby-Trapped Shareware
With an [addition] by ArthaXerXes (March 2000) ===================================================================
last update: 15 Mar 2000

If the possible threat of being hit by a virus and it's affects ranging from
funny messages to total system meltdown isn't enough.
There is a new threat on the horizon, or maybe not so new.

History has shown that various authors have booby-trapped their software,
sometimes to the point of corrupting data files, corrupting system files,
or deleting files and directories from your computer.
This is a worst case scenario and the resulting effects vary greatly.

The following information is a list of software titles with the reported traps
hidden within. This document is not intended to promote paranoia but to alert,
educate and inform users about possible problems, and you might find some
handy tips and other bits if info along the way.
============================================================== ======
- (*)

Indicates new or updated info.

- AcdSystems
- (ACDSee, Pica View)

As of ACDSee v3.0 & PicaView v1.32 the registration system has changed.
They now have separate demo and retail version.
You can no longer enter a serial into the trial versions,
they need to be patched.
You can however enter a serial in the new retail versions of the progs.

After all the hype, ACDSee DOES NOT phone home.
It includes a new updates checking feature which obviously does require net
access. Also the recent virus warning about ijl10.dll is false, due to a problem
with The Cleaner. Grab the latest version to fix it. Launching an image file
from agent results in a new acdsee window each time, it is a bug in acdsee.

- AddWeb

Uses server authentication to confirm the users registration.
The second time you use it, you will get a lovely message about using illegal
software and that your IP address was recorded.

- Advanced Administrative Tools

Uses server authentication to confirm the users registration.

- Advanced Zip Password Recovery (AZPR)

Will only accept a valid key, uses a blacklist for pirate keys,
if one is detected wastes CPU cycles without giving a solution.

- Advanced Disk Catalog (ADC)

Will only accept a valid key, uses a blacklist for pirate keys,
if one is detected slowly corrupts its databases.
Earlier versions had anti-SoftICE code in them,
though the author later removed this.

The author of AZPR & ADC uses very strong encryption to protect his code,
it won't ever be properly cracked. Alot of releases of these are not 100%
however one group has released v1.30 with a working valid serial#.

- AI Picture Utility

From a recent Core release - blacklist for pirate serials,
various hidden checks in each version release.

- AntiViral Toolkit Pro (AVP)

Bogus CRACKER.* trojan messages about many files, reported to falsely detect
cracks and keygens as virii and corrupts them, this may only happen if you try
to 'clean' the infected files.

- Archiver Shell

v6.3, as reported in a recent CORE release, causes system problems if a
blacklisted name/serial is used.

- Audio Grabber

Phone's home with author's server, invalidates itself when you go online.
Might screw up your mouse buttons too.
This checking may only be connected to the CDDB feature.
Search your C Drive for a file 'SLICKS.CNT' and delete it.
Repeat if it invalidates itself again.
Try another prog from http://www.cddb.com to perform cddb queries.
Also try blocking the connection with a good firewall, Conseal or @guard.

- (*) Aureate

This is HOT news right now and it seems alot of ppl are freaking out over this.
Frankly, CHILL!!!. This ain't the first and won't be the last contraversy of this kind.
Take a deep breath and calm the hell down.
Do read the information you can find, and take it all with a grain of salt.
I'm not defending anyone, things like this just get out of hand rather than calm rational thought.

Here are some info links -

http://villan.net/Right2Rep ly/AureateReply.htm
http://www.fe deralcourts.com/federalcourt/News/lostincyberspace_feb242000.html
http://pub3.ezboard.com/fzorsboardgeneraldiscussion.showMessag e ?topicID=839.topic
http://www.hardocp.com/news_images/2000/febr uary_2000/aureatespying.html
http://news.cnet.com/news/0-1005-2 00-1558696.html?tag=st.ne.1002
http://www.internetnews.com/IAR/ article/0,1087,12_309951,00.html

A list of software that use Aureate -
Her e's what Aureate has said about it -

A list of the Aureate runtime files -
http://manage.aureate.com/developers/sdk_doc/runtime_files.htm l
A list of the registry keys -
http://manage.aureate.com/developers/sdk_doc/registry_info.htm l

There are now 2 utils out that will scan your drives for the suspect files.
The one by Cokebottle (AntiSpy) removes some VALID system files -
advpack.dll (Advpack), amstream.dll (DirectShow), amcompat.tlb(Active Movie/MediaPlayer).
I highly suggest you backup the suspect files first as some ppl have had probs after their removal.

- Bali Tools 2000

A Zor reader reports that this phones home.

- Black Widow

Was awhile ago now, afew got hit by 'something', denied by authors,
the particular version was pulled very quickly, has been reported
to communicate with the author's server, also claimed to look for
commonly pirated programs.

- (*) BlackIce Defender

If you are installing a new version over an older one and having trouble,
go into the NetworkICE folder and open the file license.txt.
Replace the serial in license.txt with a later one.

(from FOSI) - using the update check seems to cause program to GPF,
making it unusable after this.
The authors are blacklisting alot of serials, so if you try to download and
update from their webpage and it won't let you, that's why.
Recently a 'snitch' url was discovered, this is part of an upcoming feature of
the prog and seems not to be to 'phone home'.
v1.9.6 seems to have cleared up all the problems and confusion.

- BSI Wavestation

Later versions after v2.71X, would do severe system damage if it detected use of
that keymaker:

1) Overwrites win.ini, system.ini, user.dat, and system.dat.
2) Overwrites user.da0 and system.da0 (registry backup files).

This will render your system unbootable, and within seconds of doing this you
will get a registry error message, prompting you to reboot.
At that point it is too late.
Incredibly, all those system files are backed up by the program (with different
names, in the program directory) after it does this, so if you keep cool you
can still restore your system.

The ONLY version to consider safe is v2.71X, It has been disassembled and
verified that no trojan horse code exists in it.

- Bulletproof FTP

Uses server authentication to confirm the users registration, opens your browser
to a 'gotcha' page if invalid, repeatedly new serials are released for new
versions, frankly don't bother, most if not all shared serials are cancelled by
the author when they are eventually discovered.
The last version that seems very stable is v1.15.

- CD Wizard

If you put the serial in wrong it might pop a warnimg saying 'We have detected a
virus attached to your copy of CD Wizzard' or similar.

- (*) cdlabel

v5.0, using an old/blacklisted serial results in popup warnings.

- CdrWin

Possibly the ONLY crack to trust is the one by 'GranddFather'.
The Radium 3.7c release is another verified good version.
At one point filled the hd with junk, another time deleted system files,
ongoing double checking of the serial and if it fails burns coasters.
There have been reports of it inserting garbage into the write stream as well.
This means that only some files may have errors.
This would make it somewhat difficult to detect for the average user.
Doing a plain directory or filesize compare may not reveal any corrupt files.
Use a crc validator or a binary file compare util on all images burned this.

- ClipMate

Opens your browser to a 'gotcha' page using blacklisted name/serial
v4.11 using a blacklisted name/serial might also make it crash
Solution: Just delete the Registration Info from your Registry.
(HKEY_CURRENT_USER\Software\Thornsoft\Clipmate5\Regis tration)

- (*) CloneCD

New serials get blacklisted very quickly, make sure you use the correct
serial with the version you have. It might appear to accept old serials but
will burn dud cds. Have also seen reports of it threatening to format the hd.
Goto HKEY_LOCAL_MACHINE\Software\The Silicon Realms Toolworks\
and delete the 'Armadillo' key for 10 more writes.

AVP might report the installer is infected. This is a false positive but
treat all warnings with care.
Try unzipping the installer and scanning the files, should be clean.

- Cool Edit 2000

Detects if you've had a previous cracked/pirated v1.2 on your system.
It might Delete itself on this detection.
Also seen mentioned that the CoolEdit MP3 Plugin does the same thing.

- Copernic

v4.0/4.1 - Using the built-in update feature results in the ad banner window
returning. Try getting a newer version and do a clean install of it.
Make sure you use a newer serial too.

To remove the grayed out box and remove Advertisments go to Registery Editor.
(HKEY_CURRENT_USER\Software\Copernic Techologies\Copernic4Plus\Preferences\)
and remove the 'ShowAd' key.
OR try, inside the 'ShowAd' key replace 0Xffffffff to 0X00000000

- CPUidle

A Zor reader mentioned that AtGuard reports that this tries to establish
an outgoing TCP/IP connection. To do what he doesn't say.

- CuteFtp

v3.xx, using cracks may make the program and your system become very unstable.
As of v3.54 there are a few good cracks that contain a valid registry file.
Apparently the program has multiple layers of key-checking and numerous
self-integrity checks.
See what the authors have to say. http://www.globalscape.com/support/cracks.html,
http://www.glob alscape.com/support/cracks2.html

While the program may be reasonably protected by the registration system,
CuteFTP's data files are protected by an extremely weak 'encryption'.
The term 'encryption' is used very loosely in this regard as usernames and
passwords in the 'tree.dat' (v2.x) and 'smdata.dat' (v3.x) are easily recovered.
There is one other username and password combination that is stored as plaintext
in the registry and CuteFTP's ini file.

- CSE HTML Validator

Phones home only when using the built-in update check.
If you have used an invalid serial and try to update,
it will then always try to phone home.
Solution: Just delete the Registration Info from your Registry.
(HKEY_CURRENT_USER\Software\Microsoft\Windows\Current Version\CSE3310)

- DiskState

v2.02 maybe others, seems to be a dupe file checking util.
Saw a sketchy report that it fills the registry with CLSID's.
This appears to be part of it's normal opperation.

- Download Accelerator

Could be a bug (?) that causes it to crash continually after trying to reg it.
To remove the ads find the 'Ads' folder and delete the image files,
if they come back, delete them again.

- Extractor Marketing Software
- (Extractor Pro & Web Weasel)

Phones home every time the prog is started.

- Feurio

v1.30, Careful with using Feurio 1.30 with the 'ciccio' code,
Although it seems registered, it inserts a spoiler into a random track.
It goes : "beeeeeep... illegal copy ... beeeeeep".

- FlashFXP

Uses a blacklist for pirate serials, if you use a blacklisted serial
the app contacts the author's website and pops threatening messages,
it's not recommended using the update feature, tHE eGOISTE/Tmg has a
good crack for it and eGO has a program that reads the blacklist.

- (*) Fluid Promotion

v1.02, using a bad serial will seem to register it, but it'll stop working,
will also pop 'gotcha' messages and report you to the author's site.

- Firehand Ember

Not sure of versions v5.93+ i think, pops a warning using a 'pirated' serial,
damages system.
After v3.8.6(?) there are separate demo and retail versions.

- Folder Guard

Uses blacklist for pirate names.

- Fruity Loops

v2.01, to enter serial - ctrl+shift+F2, reported as having 4 stages to the
protection scheme, Basic, Full, TS404, a 'God' mode being the final,
this 'God' mode has been reported as bogus.
It appears that the download from the FruityLoops site is a CRIPPLED demo.
Depending on the TMG keygen you have it may not work.
TMG have also released a keygen for a FULL (non-crippled) FruityLoops.

- Fruity Tracks

v1.50, to enter serial - ctrl+alt+F9.
The crippled problem with FruityLoops may also apply to this one.

- FTP Voyager

Serial is date dependant. Stops downloading files a few bytes
before completion when using blacklisted name/serial.

- GameSpy

Only use cracks by REBELS.
Uses server authentication to confirm the users registration,
forget about using keygens or serial#s alone.

- Genius

v2.6 on detecting a blacklisted serial pops up a little "you're using pirated
software, etc." window and disables various functions.

- Getright

Uses a blacklist for pirate serials. Might try to bring up a 'gotcha' page.
If it starts playing up...
Goto HKEY_CLASSES_ROOT\CLSID\{F853B2C7-386A-11D3-A860-006097897A00}
and delete 'ID'
Goto HKEY_CURRENT_USER\Software\HeadLight\GetRight\Config\
and delete 'Window00' and 'RegistrationCode'
or delete the number itself. Then try using another serial#.

- Gordon Production's software
- (ASCII-Help, Einstein,
- Home Project, KarCheck,
- PasteMaster)

Einstein maybe others, phones home and reports the use of a crack,
expect an email from the author. Saw a report on Zor's news that the
author emailed a keygen user knowing it was used.

- HistoryKill 99

Pops a warning about sending mail to the author when using a bad serial#,
have seen one report of it doing system damage.

- HoneyQ

v1.50, not all serials seem to enable the use of video,
if video gets disabled after registering then this is why.

- HotDog

Uses server authentication to confirm the users registration.

- Htmasc32

v3.03.22 uses a blacklist for pirate serials, will randomly popup a bogus
program error on detecting a blacklisted serial.

- HTML (Un)Compress

Uses blacklist for pirate serials.

- Intermute

Uses server authentication to confirm the users registration.
This may have been removed since v1.40.
v1.50 has been reported as clean.

- KeyText

Most older serial/keygens (v1.1x) were not 100%, prog ended up still limited,
more recent serial#s might be fine.

- Kyodai Mahjongg

Be careful using old keygens & serials, has been reported to do nasty things.

- Lightspeed Products
- (Rocket, WebConvert Pro)

Rocket maybe others phones home and reports the use of a crack,
expect an email from the author.

- LinkBot

v5.0, Phones home.

- Liquid FX

Takes your browser to a 'gotcha' page on detecting a blacklisted name/serial.

- (*) Lockdown2000

Have seen very conflicting reports about the effectiveness of this,
also seen mention that although it claims to be, it is NOT a firewall.
Repeatedly updated by authors to overcome new cracks,
seemingly very little time spent updating functionality.
Be careful trusting your system security on this, do some testing and you
decide. Some interesting test results to consider -
http:// www.nwi.net/~pchelp/lockdown/Davis/index.html
http://www.nwinte rnet.com/~pchelp/lockdown/debunk/index.html
http://www.nwintern et.com/~pchelp/bo/htinvest.htm
http://www.antionline.com/cgi-bi n/features/ProductReview?date=10-08-1999

The history of the authors is a very interesting read.
Don't even bother testing this let alone buying it.

- LviewPro

v2.8, you can't enter a serial in the demo from the website,
a patch is required.

- Magic Folders

Deletes the illegal registration file and warns that if you use it again,
it will uninstall and you won't "ever" be able to install it again.
It also states something about being able to delete the whole hard drive instead
of just one file. Last cracked version was a looooong time ago.

- Multimedia Builder

v4.5, try CORE's older keygen putting in an email address as the username to
generate the key, eg. me@you.com.

- Nero

v4.?? accepts an invalid serial for a while, at a later time tells you that the
serial number you are using has been pirated.
Doesn't cause any system damage, but it will ask you for a correct serial number
everytime you load it up until you give it a valid one.

- Net Detective 2000

Does nothing more than a few good search engines can do.

- Netinfo

Will contact it's home server upon startup or some network event even after
being registered.

- NewsRover

Since v3.8(?) name/serial is at least triple check, when first entered,
when retrieving newsgroup headers, and uses server authentication.
If the second check fails it will delete the data files from it's directory.

- Norton Antivirus 2000

Has been reported that if you've used a cracked dll on the demo,
when you update the virus definitions you will get a message that
says you need to download a patch.
If you say yes and download the patch it will replace the "fixed" dll
and set the attribute to read only, making it difficult to "tamper with" again.

- Offline Explorer

Contains a blacklist of usernames.

- Oil Change

Uses server authentication to confirm the users registration,
it's the Oil Change server that provides the list of updates.

- Personal Stock Monitor

Will contact it's home server upon startup or some network event even after
being registered. .

- (*) Prudens (SpyWindows) Software
- ComSpy, ExeSpy, MemMonitor, ODBCSpy,
- Process Explorer, RegistryMonitor, SetupMonitor.

Was quite awhile ago, using a keygen'd/bad/older serial resulted in your
hard drive being wiped. Be very careful with recent releases and make
sure the keygen/crack/serial# is for the version you have.

- Quake 3

The newly released full version uses server authentication to allow you to play
online, either buy it or find yourself a cracked SERVER to play on.

- RankHigher

Quoted from website - 'A note to Crackers, Hackers and thieves: we are NOT
responsible for what this program does when using a cracked version,
stolen registration code or reg code generators! You've been warned...!'.

- RealNetworks is watching you

http://www5.zdnet.com/zdnn/stories/news/0,4586,2385034, 00.html?chkpt=zdhpnews01

- RealPlayer

v6 update check triggers blacklisted serial nag.
v7.0 includes a prog called Comet Cursors which has recently been revealed to
send out info on your browsing habits.

- Restorator

v2.50 bld 757, Aparently there is only ONE 100% cracks for this,
all others will trigger the prog to delete itself.

- SmartDraw

v4.22, to get another 30 days on the trial version..., might only work once tho.
Goto 'help' menu, click 'about', the 'about' box pops up, hold down Ctrl+Shift
and click the 'ok' button.

- Starcraft's Battlenet

Collects data about you and sends to server.

- Time & Chaos

v5.xx maybe later, blacklist for pirate serials, on detecting pirate serial
locks the data files, prog may not run again.

- Timeworks DirectX Plugins

Demos can detect if you've used a cracked version before, threatens to erase
C: drive, seems to just be a scare tactic.

- ToDo'95

v4.14 maybe others, If the program is used beyond the 30 day evaluation period,
the author issues a "Doomsday warning". The message warns that the user must
uninstall the program immediately or the program will delete the host computer
Windows directory. The code for a DELTREE command on the host Windows
directory has been found within the executable.

- Total Recorder

v2.1 maybe others, v1.0 is ok, Seems to be a long standing often missed trick,
after 64 seconds a spoiler signal is inserted into the output file.

- Tracking the Eye

Uses server authentication to confirm the users registration.

- TranSoft
- (MailControl & others)

Contacts it's home server and checks your registration data against a few lists.
(http://www.transsoft.com/codes/) One list is 'legal' usernames,
other is 'illegal'.
Names on the Illegal list include - William McCurdy, Nambulu, forcekill,
MONTILLO, Montillo, Norway, SiraX/[DNG], CORE/JES, Bracco,
Nambulu/Survivors, BABYNET, SiraX/CORE, QuQ [FACTOR],
Black Thorne [PC'98], Phrozen Crew '98, SiraX/[CORE]-1998, TransSoft,
mRFANATIc [D4C], JellyTop, astaga [D4C], C4A Team, Doug Mchugh,
Karl Kachigan, Master Computer.

- Tweaki for Power Users

Serial is date dependant. Pops a warning message on bad serial.
If you get this try going to \HKEY_LOCAL_MACHINE\Software\Tweaki\
Find the 'RegName' key and change SPRITEX to SPRITEY.
Also reported to detect an old cracked version,
pop nasty messages and stop working.
Clean the old registry entries and also search for 'jermar','tweaki', and 'twk',
new version will then install without probs.

- (*) Virtual Drive

v5.1 From Zor's Discussion board, a user used an old patch by Swat99
and his boot drive was totally nuked.

- WebForms

In one version of it, the author had code to delete x:\windows\system\*.dll,
and in another he deleted x:\command.com, then displayed a goofy message.
There is a modified keymaker that gets posted now and again.
It still works, last time it was checked.
Has been advised against using it on a version above 2.5d, however.

- Wetsock 4

Will contact it's home server upon startup or some network event even after
being registered. .

- Where Is It?

Locks catalogs if blacklisted name/serial is used, due to continual updating (to
overcome the cracks) it's hard to find a correct version and matching keygen.
Core's v2.11 ( release of the app & keygen is known to be good.

When this happens in v2.12 it locks the catalog and overwrites the catalog name
with 'warez user'. I have some info on fixing this.
It get's worse as of v2.14, it doesn't lock the catalog but overwrites all
titles, folders, and file names in the catalog with 'warez user'.
If you get stuck in the 'warez user' trap do NOT save the catalog,
if it happens during updating the original catalog will be ok.
Have used v2.14 for awhile and eventually got trapped., seemed to be after
running it while online but could not catch it in the act.

Authors should know that the intended destruction of data is a criminal offense in many countries, whatever the reason is.

It is like killing a burglar stealing you, the fact that one breaks the law does not allow you to do the same.

There is also the fact that you can never be sure that your malicious code will never harm a legitimate user of your program.

There are several software missing, the first one that comes to my mind is :

WinDAC (at least 1.49) :

http://www.windac.de I believe. This is a program to dump the audio tracks of CDs. A nice program, but it does not work well on my computer (and I have limited use for it anyway).

I fully reversed this program, so I can explain preciously what it does. The program, if uncorrectly cracked or if the serial is only partially correct will behave strangly.

For example time duration will be altered as well as tracks, as a result you may dump the wrong track or miss some parts of it.

If you are interested, there is quite an interesting registration check scheme, a hash is computed from the name, then from the serial, operations are performed on both of them and if the operations are successfull, the name/serial pair is accepted.

Afterward, when the program restarts, another check is performed on the serial hash (it checks if it can divide it by 10h if my memory is good), if it works you will have the full working software, otherwise you will have a bugged one.

I can provide a valid name/serial pair to whom it may interest. I think it will work with the most recent versions. I also tried to make a serial generator, but it is really bugged.

However, this is not as bad as the other software trashing your data.


- Try with the unregistered version the problems you encounter with the registered one.
- TEST YOUR WORK ! (I can't believe I found a serial generator for WinHex 9.25 that does not work AT ALL, get my crack here, just to compare !)
- TEST YOUR WORK ! (again :-)

Really, it is funny to see people who take themselves for super-l33t-crackers because they made a serial generator, and to see that it does not actually work (who said CDRWin ? :-).

Another malicious program is Awave which will quit after a while or display an unusable dialog box is miscracked.
The last version is boring to reverse, it is fun to unaspack by hand (I made a routine to rebuild the IAT if you are interested), but removing the checks is boring.
You can get my old tutorial "The Elegant Patching", since this part did not really change, you just have to unaspack before doing this.

Again, it is not REALLY malicious, as it will not destroy anything (as far as I know) it will just not work right.

Hope this was interesting.


"I shall not use my Knowledge in vain"

xerxes_nospam(at)altern(point)org ~ ArthaXerXes
Back to Antiadvertisement
(c) III Millennium: [fravia+], all rights reserved