Jump to content


Photo
- - - - -

Careful when download newest K-lite


  • Please log in to reply
8 replies to this topic

#1 Jackcolt

Jackcolt

    Whiner

  • Members
  • Pip
  • 4 posts

Posted 09 December 2013 - 06:33 PM

Thought I'd do a post here to warn the users and owners of this. I downloaded the newest K-Lite Full pack here today. The non-mirror link(top link) pointed to an URL with a modified installer(about 37 MB if I recall correctly). This creates a "Lenovo" folder in a the Common Files folder, which seems to contain a modified portable version of Firefox. It also starts a data.js(modified from the well-known one), which calls a modified browser with the process name dmw.exe(in the Lenovo folder), opening some infected sites. Luckily my Avast AV stopped it from opening sites, so it seems further damage was avoided. So far removing it seems be just a matter of removing the Lenovo folder, and removing the registry calling data.js with wscript.exe at startup. Doing a full sweep now, but I don't believe it does anything else. I guess the goal is to open some infected sites with the modified browser, which then will wreak havoc.

 

I downloaded the pack again from a mirror, and there is was clean. Have it installed on my system now.


Edited by zeNmaster, 10 December 2013 - 10:56 AM.
The website is ok :)


#2 zeNmaster

zeNmaster

    ***

  • Administrators
  • 155 posts
  • LocationEU

Posted 10 December 2013 - 10:50 AM

Thanks Jackcolt and sorry about the mess. The link has been removed. It's strange cause it was hosted by Sourceforge. I don't understand how they managed to redirect it.



#3 Jackcolt

Jackcolt

    Whiner

  • Members
  • Pip
  • 4 posts

Posted 10 December 2013 - 04:15 PM

You're welcome and no worries, no damage done.

However, it seems the link to the infected site is back. I did see it was removed when I checked the site at work, but checking again now, it has returned. Checked on multiple machines on different networks(to ensure it wasn't on my end). This time, the infected site appeared on the mirror as well. It's easy to detect as the file it tries to download is larger than it's supposed to be. Somehow, it only redirects to the infected site the first time you click the link. After that all links lead to the correct version. I guess this is a problem at Sourceforge's end then?

 

 



#4 zeNmaster

zeNmaster

    ***

  • Administrators
  • 155 posts
  • LocationEU

Posted 11 December 2013 - 10:35 AM

You mean this link?
http://codecs.com/do...d=7411&s=775&r=



#5 Jackcolt

Jackcolt

    Whiner

  • Members
  • Pip
  • 4 posts

Posted 11 December 2013 - 01:12 PM

Yesterday there was 2 links, the main link and a mirror. The infected redirect occured on both links. Checking today, it seems to have been fixed again. I'll note the link and the URL that is redirected to, and let you know, if I notice it again.



#6 speedy

speedy

    Talented Member

  • Members
  • PipPipPipPipPip
  • 59 posts

Posted 11 December 2013 - 03:59 PM

http://www.gluster.o...rge-has-fallen/

#7 Jackcolt

Jackcolt

    Whiner

  • Members
  • Pip
  • 4 posts

Posted 12 December 2013 - 04:16 PM

Yeah I know about Sourceforges custom installers. I severely dislike that. They do prompt you to accept installing the additional malware/adware though. This didn't. This was all done in the background, and they try to hide it. It's creates a process called dmw.exe(close to dwm.exe - a windows process), and a registry causing a javascript to executed on startup, that interacts with dmw.exe that is hidden in the background. I hope this isn't intentional by sourceforge.

 

Links do look clean now though.



#8 flipjack321

flipjack321

    Whiner

  • Members
  • Pip
  • 1 posts

Posted 30 January 2014 - 12:39 AM

Just wanted to say I installed K Lite a couple of days ago and had the same problem. But it installed the malware into C:\Program Files (x86)\Common Files\eImagineTechnologyGroup instead of Lenovo.



#9 zeNmaster

zeNmaster

    ***

  • Administrators
  • 155 posts
  • LocationEU

Posted 31 January 2014 - 10:26 AM

Those guys from sourceforge are idiots. All links have been removed. Thanks flipjack ;)






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users