Scumware targets AA !

Discussion in 'privacy problems' started by MickeyTheMan, Apr 22, 2002.

Thread Status:
Not open for further replies.
  1. MickeyTheMan

    MickeyTheMan Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    1,016
    It has come to our attention that the RadLight 3.03R5.2 (by Radlight)
    software intentionally tries to uninstall Ad-aware components from your system, without requesting your permission or knowledge.

    After reports from concerned users, our tests have shown that the Radlight
    software indeed checks for the default Ad-aware installation path, and then removes
    all files that are not currently in use, upon its first execution.
    Until now, such a malicious behaviour was commonly known for viruses and trojans.

    It does not slip through Ad-watch, or hides from the Ad-aware scanner,
    Radlight is not (yet) targeted by Ad-aware or Ad-watch.

    It performs an silent uninstall of the Ad-aware components, including desktop shortcuts and startmenu items.

    This is not a bug in the RadLight software, it is intentionally uninstalling
    Ad-aware, with the only purpose to make your system attainable for further malware installation.

    And af this wasn't enough, the Radlight software is bundled with WhenU's SaveNow software, a well known data mining company.
    If Ad-watch is running, it will correctly prevent the installation of Savenow.
    If neither Ad-aware or Ad-watch is active, they both will be uninstalled through the Radlight software upon its first execution.

    A fix is in progress, and we feel its necessary to add Radlight to the AAW target list.
    This is malware at it worst.

    Team Lavasoft

    Urizen
     
  2. javacool

    javacool BrightFort Moderator

    Joined:
    Feb 10, 2002
    Posts:
    3,997
    That's a really horrible thing for a program to do.

    Unfortunately, I am surprised it didn't happen sooner - but I'm sure many people figured that luck would run out soon enough.

    I'm glad to know you're working on a fix - good luck on a quick release!

    Also, minor question: What does the RadLight software do, and where (and/or why) would someone obtain it? (Mainly asked for my own testing purposes.)

    TIA.

    -javacool

    UPDATE: Nevermind on the "where would someone obtain it" question - a simple .com address does the trick.  ;)
     
  3. Ann

    Ann Registered Member

    Joined:
    Mar 18, 2002
    Posts:
    6
    Hi javacool

    RadLight 3.03R5.2 is a media player and can be found at
    http://www.radlight.net

    Ann Christine Åkerlund
    bee@lavasoft.de
     
  4. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    I think they need some email, don't you?

    davenger@radlight.net <davenger@radlight.net>

    (Of course, they know, this means W-A-R!!! ). Pete
     
  5. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Posted the same on "privacy software" - apologies for the unintended cross posting.

    That said: I fully agree with javacool: it does not surprise me at all - and it probably is just the beginning.

    The method used here is a simple and quite straight forward one: any AA user will notice immediately. Chances are, AA will be targetted and put out of business like lots of security software is: only altering - the way it seems all works as it should, but in fact putting the app dead or not targetting certain spyware.

    IMHO a pro-active coding is needed here in regard to AA. That's a hugh effort. Nevertheless, IMO a needed one. Better stay ahead than acting reactive.

    regards.

    paul
     
  6. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    "'davenger', huh? (<g>)
       The best possible interpretation I can put on your insane move to disable the AdAware program is that you're looking for publicity (which, unfortunately, you'll get more of than what you want).
       If a suitably short enough period of time passes and you do not cease and desist from this pratice, I hereby promise you that I will organize a class action suit by Lavasoft users against your company and your person which will result in your total destruction as a corporate entity and leave the next two generations of your children scurrying to finish paying off the judgement against you.
       Have a nice day.

    Pete Yevchak (spy1 Global Mod @ http://www.security-pro.co.uk/yabb/YaBB.pl"

    Everyone please feel free to copy and paste that (or something similar), adding your name to it to let them know that you'll be part of the suit.

    Mine's already sent. Pete

    *And here's the link for cnets' 'Feedback' form - I urge everyone to fill out and send one of those, too!

    http://download.com.com/1200-20-750060.html?tag=subnav
     
  7. javacool

    javacool BrightFort Moderator

    Joined:
    Feb 10, 2002
    Posts:
    3,997
    Will do -  :)

    BTW, Just a thought - Wouldn't it be possible to make a program to watch the AdAware files for deletion or even tampering? i.e. a small memory-resident app you could either run when you installed applications, or all the time, if you wanted.

    Side note - That program probably wouldn't be too hard to make. If anyone has an interest, I could always whip one up really quick (probably only 10 kb or so, too).

    Just a thought. (That program probably wouldn't be much use to AdAware Plus users, though - since they have the resident scanner, but just a thought.)
     
  8. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,350
    Location:
    The Netherlands
    This is just unimaginable!  :mad:

    I've just posted this Lavasoft notification at VirtualDr, Winguides.com, and TSG Forums, as well as on a couple of boards here in Holland.

    Everyone ought to be warned.
     
  9. discogail

    discogail Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    151
  10. Mike_Healan

    Mike_Healan Registered Member

    Joined:
    Mar 6, 2002
    Posts:
    302
    Location:
    USA
    LOL Pete.
    As a LS mod, I think I should stay out of it, but anyone else, please, contact them and warn them they're up against a company that will NOT back down.

    We appreciate the support everyone. I know there's some harsh words for us when one of our new releases cause some..... ermm... "unexpected troubles", but it's good to know we have your support nevertheless.
     
  11. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    all good security and anti-spyware software will be supported  by us, our mods and members. All in all, it's fighting a common enemy, and that's what counts in the end.

    regards.

    paul
     
  12. discogail

    discogail Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    151
    CNet has pulled it.......
    "This title is no longer available!

    The program you've requested, "RadLight", is not available for download at this time"

    Still available at Simtel http://www.simtel.net/pub/pd/55443.html
    Simtel discussion forum.....http://forum.simtel.net/ubbthreads/ubbthreads.php
    Email........bdickson@digitalriver.com <bdickson@digitalriver.com>
    ***Apparently filters have messed with the email address. LOL.....bthingyson should be bd*i*c*kson...remove asterisks
     
  13. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    Thanks, DG! I feel the need to email! Pete
     
  14. javacool

    javacool BrightFort Moderator

    Joined:
    Feb 10, 2002
    Posts:
    3,997
  15. snowman

    snowman Guest

             COPY OF SENT




         
                      RE:  Radlight 3.02R.2



           TO:   B. Dickson

                 please be herewith advised that Radlight 3.03R3 has
                 been positively identified as a program that performs
                 illegal operations.....the dis-installing of legally
                 obtained and copyrighted computer software installed
                 on personal/busness computers.
               
                 all parties associated with the distribution of Radlight
                 3.02R.2 should seriously consider if such association
                 will also associate them in whatever pending legal actions
                 that may ensue.

                                     respectfully  submitted

                                       (snipped)
                 
     
  16. Blacksheep

    Blacksheep Spyware Fighter

    Joined:
    Feb 9, 2002
    Posts:
    109
    Location:
    Missouri, USA
    Simtel is now aware of RadLight *problem*:

    http://forum.simtel.net/ubbthreads/showflat.php?Cat=&Board=looking&Number=2132&page=0&view=collapsed&sb=5&o=&fpart=1&vc=1
     
  17. snowman

    snowman Guest

           seems like I picked-up a hitchhiker.....somewhere after leaving here to the radlight site...my email site...and two other sites......

          after noticing on of those behind the window pop-ups....an pop-ups wont pop on my computer LOL  I became curious......checked my windows temp....an sure as gravy covers rice I found a download...  



          GLB1A2B      application

          112 kb



          most all day yesterday I was installing M$ patches....an this afternoon installed some previously download programs.........so this may all be very innocent...........however,  I also clean and defrag my computer after each install..........an don't see how this would have been left behind....

           unfortunately I forgot to disable "download files" in the internet zone.........so its possible that a forced download was made......an there was that "box" behind window...........an I did check out radlight......

           this whatever it is in the temp folder is of no concern to me...it can't install on my computer......if by a miracle I picked up a copy of whatever is un-installing adware.....it may be useful.....but I certainly can't say thats what this application is....it may be nothing.

            I'll say awake for alittle longer to see if anyone is interested...if not I will delete it.....


                                  snowman
     
  18. snowman

    snowman Guest

           the file resembles   a small box next to a waste paper basket.............something along the lines of what the recycle bin appears like......but with a small box nest to it...



                                 snowman
     
  19. Mike_Healan

    Mike_Healan Registered Member

    Joined:
    Mar 6, 2002
    Posts:
    302
    Location:
    USA
  20. snowman

    snowman Guest

            after further consideration...this makes no sense....the program that un-installs adaware is bundled in radlight.......so I can't see how this would be related

           my apology.......



                                           snowman
     
  21. snowman

    snowman Guest

            MIKE


            do you still want me to send it??   I'll be happy to do so..


                              snowman
     
  22. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,350
    Location:
    The Netherlands


    If I remember well, GLB1A2B has been known to be put in your Windows\temp folder when you install Ad-Aware.

    You'll find it in your Wininit.ini, and it will therefore show in your Wininit.bak after reboot.

    Take a look at this thread, two thirds down: http://www.lurkhere.com/forum768.html

    So maybe let's not get carried away unduly...;)

    Cheers,  Tony
     
  23. snowman

    snowman Guest

           Tony

            I agree about not getting carried away.....an that may be just as well cause I can't get this thing into my e mail...in order to forward......it keeps trying to open!!!!


          an for adaware....I installed it weeks ago.....have cleaned my tempt folder a dozen times since......I did run adaware within the past twenty four hours....

            anyways..since it wont go into the e mail....I'll just delete it.....oh, I even tryed putting it into "zip:


            hope this wasn't a bother to anyone.....thank you for your time.

                                snowman
     
  24. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,350
    Location:
    The Netherlands
    Hi Snowman,

    No prob! :)

    It'll certainly serve to reassure others that may be asking themselves the same question.

    I know I've seen this item popping up in StartLogs many times myself,  and have always wondered what it was, until Mo accidentally discovered it was created by Ad-Aware.

    Cheers,  Tony
     
  25. snowman

    snowman Guest

            Tony

            thanks for the advisory......this certainly was a new one for me....I am still rather confused...but placing my trust in you on this.

            what confused me was that its a 162 kb application.....an it kept trying to open whenever I made an attemp to move it....

           but no problem..its deleted....system cleaned completely...checked for possible virus/trojan..etc.

           was an interesting experience.....I have never sent an attachment by e mail....in fact have only used e mail less than ten times over several years.....seems I will need to learn how to use it properly......talk about going back to the basics........LOL


                      wishing you well

                       snowman
     
Thread Status:
Not open for further replies.