http://msmvps.com/blogs/hostsnews/archive/tags/BitTorrent+CidHelp/default.aspxTags: BitTorrent CidHelpenCommunityServer 2008.5 SP2 (Build: 40407.4157)http://msmvps.com/blogs/hostsnews/archive/2007/07/19/bittorrent-users-beware.aspxThu, 19 Jul 2007 12:48:00 GMTd67277c4-116b-43f1-b688-e9ef184ea916:1039370winhelp20020http://msmvps.com/blogs/hostsnews/archive/2007/07/19/bittorrent-users-beware.aspx#comments<p>&quot;<em>BitTorrent is a method of distributing large amounts of data (P2P) widely without the original distributor incurring the entire costs of hardware, hosting and bandwidth resources.&quot; </em>[Full Wikipedia description <a class="" href="http://en.wikipedia.org/wiki/BitTorrent" target="_blank">here</a>]</p> <p>Seems the Cash4Downloads folks have teamed up with CidHelp (C2Media/LOP) to distribute &quot;free software&quot; for users looking for BitTorrent programs. So let&#39;s see what they offer ...</p> <p><img style="WIDTH:394px;HEIGHT:409px;" height="409" src="http://mvps.org/winhelp2002/blog/get-torrent.gif" width="394" border="1" alt="" /></p> <p>As you can see ... &quot;no spyware, no adware, no malware&quot; ... oh really? I scanned the download at VirusTotal</p> <p>Get-Torrent-2.0.0.0-setup-0350.exe</p> <p>BitDefender 7.2 2007.07.19 Trojan.FatObfus.A<br />DrWeb 4.33 2007.07.18 Trojan.Packed.149<br />F-Secure 6.70.13030.0 2007.07.18 Trojan.Win32.Obfuscated.dt<br />Ikarus T3.1.1.8 2007.07.18 Trojan.Win32.Obfuscated.en<br />Kaspersky 4.0.2.24 2007.07.19 not-a-virus:AdWare.Win32.Lop.bo</p> <p>[or]<br />BitRoll-2.2.0.0-setup-0410.exe</p> <p>Avast 4.7.997.0 2007.07.18 Win32:Trojan-gen. {Other}<br />BitDefender 7.2 2007.07.19 Trojan.Agent.AOJ<br />DrWeb 4.33 2007.07.18 Trojan.Packed.149<br />F-Secure 6.70.13030.0 2007.07.18 Trojan.Win32.Obfuscated.en <br />Ikarus T3.1.1.8 2007.07.18 Trojan.Win32.Obfuscated.en <br />Kaspersky 4.0.2.24 2007.07.19 not-a-virus:AdWare.Win32.Lop.bo <br />Microsoft 1.2704 2007.07.18 Trojan:Win32/Busky.C<br />Symantec 10 2007.07.19 Torrent101</p> <p>There are about 15 other related sites all hosted on the same IP address (69.72.144.122) however the majority of the downloads are redirected and actually coming from <strong>67.15.107.166</strong>. I would highly suggest adding that IP address to the Internet Explorer &quot;<a class="" href="http://mvps.org/winhelp2002/restricted.htm" target="_blank">Restricted Zone</a>&quot; as this will prevent the download.</p> <p><img src="http://mvps.org/winhelp2002/blog/get-torrent2.gif" alt="" /></p> <p>As you can see in the VirusTotal results several Antivirus vendors have their own descriptions, but I can assure you these are CidHelp (C2Media/LOP) related.</p> <p><a class="" href="http://www.symantec.com/enterprise/security_response/writeup.jsp?docid=2007-071213-0024-99&amp;tabid=2" target="_blank">Symantec.WinZix</a> states: &quot;The program may then download a copy of Adware.Lop on to the computer.&quot;<br />McAfee <a class="" href="http://69.64.185.84/sites/torrent101.com/downloads/5188818/" target="_blank">SiteAdvisor.torrent101.com</a> download analysis shows the following Registry edits are made:</p> <p><em>[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\New Windows\Allow]<br />ADD&nbsp;netbios-wait.com=&quot;&quot;<br />ADD&nbsp;netsearchsoft.com=&quot;&quot;</em></p> <p>Now <em>netbios-wait</em> and <em>netsearchsoft</em> are both C2Media/LOP sites ... looks like the world of BitTorrent can be a dangerous place. Especially if you install one of these &quot;no spyware, no adware, no malware&quot; programs.</p><div style="clear:both;"></div><img src="http://msmvps.com/aggbug.aspx?PostID=1039370" width="1" height="1">BitTorrent CidHelp