It has come to our attention that the RadLight 3.03R5.2 (by Radlight)
software intentionally tries to uninstall Ad-aware components from your system, without requesting your permission or knowledge.

After reports from concerned users, our tests have shown that the Radlight
software indeed checks for the default Ad-aware installation path, and then removes
all files that are not currently in use, upon its first execution.
Until now, such a malicious behaviour was commonly known for viruses and trojans.

It does not slip through Ad-watch, or hides from the Ad-aware scanner,
Radlight is not (yet) targeted by Ad-aware or Ad-watch.

It performs an silent uninstall of the Ad-aware components, including desktop shortcuts and startmenu items.

This is not a bug in the RadLight software, it is intentionally uninstalling
Ad-aware, with the only purpose to make your system attainable for further malware installation.

And af this wasn't enough, the Radlight software is bundled with WhenU's SaveNow software, a well known data mining company.
If Ad-watch is running, it will correctly prevent the installation of Savenow.
If neither Ad-aware or Ad-watch is active, they both will be uninstalled through the Radlight software upon its first execution.

A fix is in progress, and we feel its necessary to add Radlight to the AAW target list.
This is malware at it worst.

Team Lavasoft

Urizen

That's a really horrible thing for a program to do.

Unfortunately, I am surprised it didn't happen sooner - but I'm sure many people figured that luck would run out soon enough.

I'm glad to know you're working on a fix - good luck on a quick release!

Also, minor question: What does the RadLight software do, and where (and/or why) would someone obtain it? (Mainly asked for my own testing purposes.)

TIA.

-javacool

UPDATE: Nevermind on the "where would someone obtain it" question - a simple .com address does the trick. *;)

Hi javacool

RadLight 3.03R5.2 is a media player and can be found at
http://www.radlight.net

Ann Christine Åkerlund
bee@lavasoft.de

I think they need some email, don't you?

davenger@radlight.net <davenger@radlight.net>

(Of course, they know, this means W-A-R!!! ). Pete

Posted the same on "privacy software" - apologies for the unintended cross posting.

That said: I fully agree with javacool: it does not surprise me at all - and it probably is just the beginning.

The method used here is a simple and quite straight forward one: any AA user will notice immediately. Chances are, AA will be targetted and put out of business like lots of security software is: only altering - the way it seems all works as it should, but in fact putting the app dead or not targetting certain spyware.

IMHO a pro-active coding is needed here in regard to AA. That's a hugh effort. Nevertheless, IMO a needed one. Better stay ahead than acting reactive.

regards.

paul

"'davenger', huh? (<g>)
* *The best possible interpretation I can put on your insane move to disable the AdAware program is that you're looking for publicity (which, unfortunately, you'll get more of than what you want).
* *If a suitably short enough period of time passes and you do not cease and desist from this pratice, I hereby promise you that I will organize a class action suit by Lavasoft users against your company and your person which will result in your total destruction as a corporate entity and leave the next two generations of your children scurrying to finish paying off the judgement against you.
* *Have a nice day.

Pete Yevchak (spy1 Global Mod @ http://www.security-pro.co.uk/yabb/YaBB.pl"

Everyone please feel free to copy and paste that (or something similar), adding your name to it to let them know that you'll be part of the suit.

Mine's already sent. Pete

*And here's the link for cnets' 'Feedback' form - I urge everyone to fill out and send one of those, too!

http://download.com.com/1200-20-750060.html?tag=subnav

{QUOTE-> "'davenger', huh? (<g>)
* *The best possible interpretation I can put on your insane move to disable the AdAware program is that you're looking for publicity (which, unfortunately, you'll get more of than what you want).
* *If a suitably short enough period of time passes and you do not cease and desist from this pratice, I hereby promise you that I will organize a class action suit by Lavasoft users against your company and your person which will result in your total destruction as a corporate entity and leave the next two generations of your children scurrying to finish paying off the judgement against you.
* *Have a nice day.

Pete Yevchak (spy1 Global Mod @ http://www.security-pro.co.uk/yabb/YaBB.pl"

Everyone please feel free to copy and paste that (or something similar), adding your name to it to let them know that you'll be part of the suit.

Mine's already sent. Pete <-QUOTE}

Will do - *:)

BTW, Just a thought - Wouldn't it be possible to make a program to watch the AdAware files for deletion or even tampering? i.e. a small memory-resident app you could either run when you installed applications, or all the time, if you wanted.

Side note - That program probably wouldn't be too hard to make. If anyone has an interest, I could always whip one up really quick (probably only 10 kb or so, too).

Just a thought. (That program probably wouldn't be much use to AdAware Plus users, though - since they have the resident scanner, but just a thought.)

This is just unimaginable! *>:(

I've just posted this Lavasoft notification at VirtualDr, Winguides.com, and TSG Forums, as well as on a couple of boards here in Holland.

Everyone ought to be warned.

Radlight has a discussion forum. This topic is being discussed there too.
RadLight.NET Forum.....http://216.194.92.96/phpBB2/viewtopic.php?t=215

LOL Pete.
As a LS mod, I think I should stay out of it, but anyone else, please, contact them and warn them they're up against a company that will NOT back down.

We appreciate the support everyone. I know there's some harsh words for us when one of our new releases cause some..... ermm... "unexpected troubles", but it's good to know we have your support nevertheless.

all good security and anti-spyware software will be supported *by us, our mods and members. All in all, it's fighting a common enemy, and that's what counts in the end.

regards.

paul

CNet has pulled it.......
"This title is no longer available!

The program you've requested, "RadLight", is not available for download at this time"

Still available at Simtel http://www.simtel.net/pub/pd/55443.html
Simtel discussion forum.....http://forum.simtel.net/ubbthreads/ubbthreads.php
Email........bdickson@digitalriver.com <bdickson@digitalriver.com>
***Apparently filters have messed with the email address. LOL.....bthingyson should be bd*i*c*kson...remove asterisks

Thanks, DG! I feel the need to email! Pete

I've released a small application to hopefully deal with this problem.

Details here: http://www.security-pro.co.uk/yabb/YaBB.pl?board=privacysoftware;action=display;num=1019532173;start=0;.

* * * * *COPY OF SENT




* * *
* * * * * * * * * RE: *Radlight 3.02R.2



* * * *TO: * B. Dickson

* * * * * * *please be herewith advised that Radlight 3.03R3 has
* * * * * * *been positively identified as a program that performs
* * * * * * *illegal operations.....the dis-installing of legally
* * * * * * *obtained and copyrighted computer software installed
* * * * * * *on personal/busness computers.
* * * * * *
* * * * * * *all parties associated with the distribution of Radlight
* * * * * * *3.02R.2 should seriously consider if such association
* * * * * * *will also associate them in whatever pending legal actions
* * * * * * *that may ensue.

* * * * * * * * * * * * * * * * *respectfully *submitted

* * * * * * * * * * * * * * * * * *(snipped)
* * * * * * *

Simtel is now aware of RadLight *problem*:

http://forum.simtel.net/ubbthreads/showflat.php?Cat=&Board=looking&Number=2132&page=0&view=collapsed&sb=5&o=&fpart=1&vc=1

* * * *seems like I picked-up a hitchhiker.....somewhere after leaving here to the radlight site...my email site...and two other sites......

* * * after noticing on of those behind the window pop-ups....an pop-ups wont pop on my computer LOL *I became curious......checked my windows temp....an sure as gravy covers rice I found a download... *



* * * GLB1A2B * * *application

* * * 112 kb



* * * most all day yesterday I was installing M$ patches....an this afternoon installed some previously download programs.........so this may all be very innocent...........however, *I also clean and defrag my computer after each install..........an don't see how this would have been left behind....

* * * *unfortunately I forgot to disable "download files" in the internet zone.........so its possible that a forced download was made......an there was that "box" behind window...........an I did check out radlight......

* * * *this whatever it is in the temp folder is of no concern to me...it can't install on my computer......if by a miracle I picked up a copy of whatever is un-installing adware.....it may be useful.....but I certainly can't say thats what this application is....it may be nothing.

* * * * I'll say awake for alittle longer to see if anyone is interested...if not I will delete it.....


* * * * * * * * * * * * * * * snowman

* * * *the file resembles * a small box next to a waste paper basket.............something along the lines of what the recycle bin appears like......but with a small box nest to it...



* * * * * * * * * * * * * * *snowman

mike@spywareinfo.com

I'll take a look.

* * * * after further consideration...this makes no sense....the program that un-installs adaware is bundled in radlight.......so I can't see how this would be related

* * * *my apology.......



* * * * * * * * * * * * * * * * * * * *snowman

* * * * MIKE


* * * * do you still want me to send it?? * I'll be happy to do so..


* * * * * * * * * * * * * snowman

{QUOTE->

Quoting Snowman:

after noticing on of those behind the window pop-ups....an pop-ups wont pop on my computer LOL *I became curious......checked my windows temp....an sure as gravy covers rice I found a download... *

* * * GLB1A2B * * *application <-QUOTE}



If I remember well, GLB1A2B has been known to be put in your Windows\temp folder when you install Ad-Aware.

You'll find it in your Wininit.ini, and it will therefore show in your Wininit.bak after reboot.

Take a look at this thread, two thirds down: http://www.lurkhere.com/forum768.html

So maybe let's not get carried away unduly...;)

Cheers, *Tony

* * * *Tony

* * * * I agree about not getting carried away.....an that may be just as well cause I can't get this thing into my e mail...in order to forward......it keeps trying to open!!!!


* * * an for adaware....I installed it weeks ago.....have cleaned my tempt folder a dozen times since......I did run adaware within the past twenty four hours....

* * * * anyways..since it wont go into the e mail....I'll just delete it.....oh, I even tryed putting it into "zip:


* * * * hope this wasn't a bother to anyone.....thank you for your time.

* * * * * * * * * * * * * * snowman

Hi Snowman,

No prob! :)

It'll certainly serve to reassure others that may be asking themselves the same question.

I know I've seen this item popping up in StartLogs many times myself, *and have always wondered what it was, until Mo accidentally discovered it was created by Ad-Aware.

Cheers, *Tony

* * * * Tony

* * * * thanks for the advisory......this certainly was a new one for me....I am still rather confused...but placing my trust in you on this.

* * * * what confused me was that its a 162 kb application.....an it kept trying to open whenever I made an attemp to move it....

* * * *but no problem..its deleted....system cleaned completely...checked for possible virus/trojan..etc.

* * * *was an interesting experience.....I have never sent an attachment by e mail....in fact have only used e mail less than ten times over several years.....seems I will need to learn how to use it properly......talk about going back to the basics........LOL


* * * * * * * * * wishing you well

* * * * * * * * * *snowman

It appears to me that, regardless of what the RadLight people are saying, that we've made remarkable progress in getting their threat contained.

Due to the fact that they're foreigners, there is no means of legal recourse (yes, I talked to my lawyer).

Since the people involved with supplying the d/l of their 'product' have been very responsive to everyone's concerns (i.e., Cnet stopping the d/l and Simtel - at least - looking into it) and we've gotten at least two different programmers (Pepi and Javacool) to come up with programs to actively combat the RadLight malware, I've decided that the best way to continue the offensive is to ask SpyCop, WWM and Anti-Keylogger to add detection of RadLight freeware (any and all ) to their detection databases. (I emailed them all this morning).

What everyone else can do is check out your favorite d/l location and see if Radlight products are listed there. If so, you need to drop them an email pointing them to this thread so that they can become aware of and join in this issue.

I'd like to take this opportunity to personally thank everyone who took the time and made the effort to email anyone involved in this, either to complain, educate or make them aware of the situation - and I ask you to keep doing so!

Only by letting everyone involved know exactly where we stand on these kinds of issues can we continue to make a diffference in this and future issues.
Pete

Simtel dropped it......

"Sorry, but we are unable to find the file you requested"

I'll certainly do my best to keep people at my regular boards informed.

It's on WebAttack, too - this is their 'Feedback' link:
http://www.webattack.com/feedback/ . Pete

PeteNote: Thanks, Mike!

Errrrrr.........

This page might work better. * ;)

http://www.webattack.com/feedback/

Dear Sir or Madam,

It has come to my attention that you offer for download a product from Radlight INC, Radlight Divx multimedia player. Please follow the URLs listed below. They will explain how this software company is engaging in unethical and possibly illegal activity. Specifically, the author of the software has included code which searches for and destroys our software without notice to the user.
We respectfully request that you remove this software from your downloads area.

Regards,
Mike Healan
Lavasoft Support

http://www.newsbytes.com/news/02/176075.html
http://www.spywareinfo.com/issues/04222002.html
http://www.security-pro.co.uk/yabb/YaBB.pl?board=privacyissues;action=display;num=1019507174;start=
http://www.lavasoft.nu/cgi-bin/forums/ikonboard.cgi

Hi,

Someone from Lavasoft might want to drop http://www.divx-digest.com/index.html a note as well that *the program Radlight that they host here http://www.divx-digest.com/software/radlight_player.html quite possibly, illegaly deletes Ad-aware program files. *:-/

I think it would look better and mean more from an official Lavasoft source.

Update: I do see they have a forum and it has been mentioned *http://forum.digital-digest.com/showthread.php?s=9fd8020ecbbd3e0aff5428e22df139ea&threadid=6345

Also the contact page is http://www.digital-digest.com/contacts.html if needed.

I posted a screen shot of the latest version of Radlight's Ad-aware disclaimer http://paulgien.home.mindspring.com/misc/RLLA.htm that is displayed after the EULA is displayed.

Me, I am running Ad-aware from a floppy from now on. HAHA. Actualy I would never install ad-ware or spyware knowingly on any computer and use Ad-aware just to be sure nothing sneaks by. *;)


Paul,

Paul,

Mike Healan is part of the Lavasoft Team as far as I know of.

regards.

(just another:) paul

* * * * *complaints have been filed with several state and federal agencies.....as a registered stock trader it was possible to lodge complaints with security exchange commissions in several countries...

* * * * complaints have been filed with numerous state and federal representives.


* * * *complaint filed with <webattack> with notice that it shall not be used again so long as the offending software is offered there.

* * * *some of the complaints/notices may not be seen as having merit ...each agency must make that call.


* * * * * * * * * * * *snowman

RadLight is back in the Simtel.Net collection as rl3r52.exe

David Kirschbaum, Archivist for Simtel..
"the corrected version, just posted to the Simtel.Net collection, clearly and unmistakably informs the user installing the program as to exactly what's going to happen..........
...Because fair is fair: RadLight is doing no more than Ad-Aware does........the ONLY site in the Known Universe complaining about this? Why, the home of Lavasoft....."

http://forum.simtel.net/ubbthreads/postlist.php?Cat=&Board=looking

discogail,

As it seems, Radlight has altered its EULA in the meanwhile (from a legal point of view: smart move).

That said: there's absolutely no guarantee other spyware infested software will act likewise. For that reason, an app alerting/preventing tampering with anti-spyware software is in place.

IMHO one should uninstall any spyware infested software asap anyway.

regards.

paul

Paul,
* I agree. This is just the beginning. The disabling *program is out there now.....& there's no putting it back in the bottle...& this particular one is in the hands of Save Now......bundled w/ other apps besides Radlight.

That person at Simtel was without a doubt the most naive, arrogant, and foolish person I've seen involved in this, aside from the fellow who's avatar I've stolen. ;)

The free program NIS File Check from Albert can warn you for changes in or the removal of ADAware files.

I have posted about it in the NIS File Check forum:

http://www.security-pro.co.uk/yabb/YaBB.pl?board=qna;action=display;num=1019644150

For questions etc. with respect to that, please post over there.

So he did all that just to make a point, eh?

http://216.194.92.96/phpBB2/viewtopic.php?t=226

Methinks not. Pete

I just read the Radlight Agreement.

"Privacy

By downloading SaveNow you give permission to SaveNow to display relevant contextual information and offers. *In order to provide SaveNow users with such information, SaveNow delivers content based on the URL visited by the user and/or search terms entered by the user into a search engine and/or content on the web page being viewed by the user. * SaveNow protects users’ privacy by determining on the client side whether or not to retrieve information from WhenU.com servers. *Client-server communication takes place only on an as-needed basis, and SaveNow does NOT transmit a full history of URLS visited by the user to the WhenU.com servers. *WhenU.com does NOT assemble personally-identifiable profiles of SaveNow users and personally identifiable information is not required in order to use the SaveNow software. * WhenU.com may update it’s privacy policy and license agreement for SaveNow at any time at the discretion of the company.

Limitation of Liability

To the maximum extent permitted by law, in no event will WhenU.com or its agents be liable for any damages arising from the use of or inability to use the software, including, without limitation, damages to users’ systems and/or software and/or data, computer failure or malfunction, computer virus transmission, performance delays or communication failures, security breaches or any and all other damages or losses."

It appeares that WhenU.com and SaveNow are the offenders. It's gatherinfoware.

Bud Allen - Welcome to the forum!

You're right in one respect - *WhenU.com and SaveNow developed and make available the spyware, but RadLight willingly provided the platform for their spyware - so let's not ever forget that. Pete

:othose mofoes i just send them the e-mail.

i cant belive they would do that and all aol user are in danger save now *comes standard with aol 7.0 or there aol aim instant messeanger i think?

>:(blaze pulls out spam cannon.

>:(mawha let my spam be there passage to hell

:Dhold on i need to get a kelt and some blue paint for my face lol.

:DThey may have are cyber space but they will never have are hard drives lol