If you find yourself installing and running cracks and keygens that you’re downloading over Limeware, stop what you’re doing. First, stop using cracks and pirated software. Secondly, nothing truly is for free.
Limewire users have been seeing various keygens offered over their P2P connections. Over the past few days, there have been multiple releases of AVG LICENSE KEY CRACK BY [SSG].ZIP, HALO KEYGEN BY [ZWT].ZIP, REALTEK AUDIO DRIVER CRACKED BY -=ROGUE=-.ZIP, and NERO 9 NO PATENT CRACK BY ZWT.ZIP. And surprise, surprise, all of these files come with a little treat inside, crack.exe. We’ve seen this sort of keygen package bundled with some severe malware in the past, and we continue to see downloaders and adware installed by this stuff.
Taking a quick look, we find that this dropper will disable the Windows Security Center and Firewall. It will then scan through the system32 directory, attempting to find a random dll name string to borrow from, and then select some digits from the system time to create its dropped dll name string, always ending with “32.dll”. For our ThreatExpert report, the malicious downloader file name created was “glu3232.dll”, and we can identify pieces of the code used to create a random portion of the name here:
and the concatenation of that semi-randomized string with “32.dll” here:
even though my antivirus cant find this file i used ad watch to see registry changes it is allways changing in registry and using your internet! i found the file locked, then used the repair console function on os setup cd to remove the file glu3232.dll in dos since locked files dont lock in dos after that the internet was clear.
ALSO FYI: i intentionally ran this file on a dummy pc to find its weakness, hey guys gotta have a hobby.