The Case of the Flashget Trojan Download, Regardless of who was to blame, it happened. Options

[LittleMonster]

It would appear that Flashget's updates have been compromised and it has been downloading trojans to users' computers. Many Flashget users have been affected. What worries me is that I only picked it up after a virus scan. Perhaps naively, I would have expected KIS to spot this while it was happening and at least flag it up.

There was a most interesting article on this in Viruslist but the page is now empty. It described the vulnerability and suggested that it might have been the result of a hacker attack. This thinly veiled accusation I believe to be unfair. The trojan was firmly dropped into the Flashget folder, rather than squirreled away somewhere else, as though somebody was calling attention to the vulnerability rather than exploiting it.

Flashget was running on my PC when the Trojan was detected on disc but memory scans were clean. I take this to indicate that nothing was being sent elsewhere that I would object to. Please put me straight if I err. The now blanked article did carry the dates over which the events happened and it would be useful to see those again so I can assess what damage might have been done.

There has been discussion in Flashget's forum but no resolution. For this reason, I think it worth calling attention to for the sake of those who may still be unaware. The advice given was to uninstall the application until such time as a fix was released.

This may be paranoia but, in the event that the maliciousness was intended, will simply using control panel to remove the app work sufficiently to remove everything? Residues are often left behind as we all know.

Presumably, this can happen with any programme - even one we all trust. It would be useful to know how to use KIS to at least warn of anything like this in future. In the extreme case, an armed raid on any company's headquarters will compromise their servers!

[Don Pelotas]

1. Post in the correct section next time.

2. The fact that it was detected duing a scan on your pc could be for a number of reasons..possible: Not yet active (most like scenario), not in the bases yet or within the scope of the PDM (least likely).

3. Removing FlashGet is certainly advicable until they fix the issue, but the malware itself you have already deleted.

[Lucian Bara]

this is how the thing works, basically it's on the flashget server and nested in such a way that flashget thinks it's an update for itself. why it wasn't detected on download? there are a lot of posible reasons, as Don said first could be no bases, second could also be the fact that it's not a standard http downlaod, when i checked for updates with flashget it started to connect on various remote ports (8xxx, 1xxx etc, the http port is TCP: 80) and another reason is that most put their downlaod managers in the trusted zone (it's obvious, a downlaod manager is not subject to the various exploits a browser is while visiting a page, downloads can be scanned via command line or manually at the end).

removig flashget solves it (if you aren't infected) because the malware is downlaoded by flashget, residues are irelevant in this case.

[LittleMonster]

1. Post in the correct section next time.

Please forgive this humble user if he has caused any offence to your magnificence
Sorry, couldn't resist!

2. The fact that it was detected duing a scan on your pc could be for a number of reasons..possible: Not yet active (most like scenario), not in the bases yet or within the scope of the PDM (least likely).

I'm relieved that you consider it unlikely that it had been activated but I fear I know nothing of these "bases" and "PDM"s of which you speak.

3. Removing FlashGet is certainly advicable until they fix the issue, but the malware itself you have already deleted.

Would preventing it from starting up with Windows suffice, then?

Thanks for replying!

[Baz^^]

The flashget article is still there.... visit the weblog homepage.

[LittleMonster]

this is how the thing works, basically it's on the flashget server and nested in such a way that flashget thinks it's an update for itself. why it wasn't detected on download? there are a lot of posible reasons, as Don said first could be no bases, second could also be the fact that it's not a standard http downlaod, when i checked for updates with flashget it started to connect on various remote ports (8xxx, 1xxx etc, the http port is TCP: 80) and another reason is that most put their downlaod managers in the trusted zone (it's obvious, a downlaod manager is not subject to the various exploits a browser is while visiting a page, downloads can be scanned via command line or manually at the end).

removig flashget solves it (if you aren't infected) because the malware is downlaoded by flashget, residues are irelevant in this case.

Thanks for the reply!

I only vaguely understand most of it, though

Is it then not possible to prevent this sort of thing happening again? That would be quite a blow to those of us who trust our security software.

[LittleMonster]

The flashget article is still there.... visit the weblog homepage.

Thanks for the tip; it's here if anybody else wants to read.

[Baz^^]

Basically what Lucian said is that


1) There may not have been a signature for the malware at the time

2) Flashget may have been using a random port not monitored by the webav

3) Most users put flashget into the trustedzone.....because tehy consider it "safe" so the files downloaded may not have been scanned.

[Don Pelotas]

Please forgive this humble user if he has caused any offence to your magnificence
Sorry, couldn't resist!

Try and when you fail, try even harder........

I'm relieved that you consider it unlikely that it had been activated but I fear I know nothing of these "bases" and "PDM"s of which you speak.

Would preventing it from starting up with Windows suffice, then?

Since you have removed it as well as deleted the malware...........................no................. Just keep FlashGet uninstalled.

Thanks for the reply!

I only vaguely understand most of it, though

Is it then not possible to prevent this sort of thing happening again? That would be quite a blow to those of us who trust our security software.

You cannot guarantee protection of all types of attack...it's a impossibilty and if this really has you worried too much then you need to sell the computer and use other means communication because it ain't happening...........................that said, you do realize that you were protected right?... and that the trojan would have been detected if it executed? ......................sorry, please forgive this arrogant moderator, his ego needs it!

Instead be happy that you chose Kaspersky, it's a serious anti-virus and have been for a very long time.

[LittleMonster]

Basically what Lucian said is that
1) There may not have been a signature for the malware at the time

2) Flashget may have been using a random port not monitored by the webav

3) Most users put flashget into the trustedzone.....because tehy consider it "safe" so the files downloaded may not have been scanned.

Thanks for the clarification

I tried to search the virus list for the last instance of infection I had, "Trojan-Downloader.Win32.Agent.kht" as described by KIS, but, strangely, this record could not be found so I can't tell you if the signature existed when the infection occurred, on the 13th or 14th this month.

I am fairly certain I hadn't put the, now departed, Flashget application into any Trusted Zone but there are many firewall rules relating to it. As I understand it, these rules allow traffic of a certain kind to pass (or be blocked) but do they also allow it to pass unmonitored?

I can only find "trust" settings for URLs and IP addresses in various sections of the "Settings" not applications.


I think I found something significant: Service; Network Settings; Port Settings was set to "Monitor selected ports only". I have changed this to "Monitor All Ports".

[LittleMonster]

Try and when you fail, try even harder........

"Every day in every way..."

Since you have removed it as well as deleted the malware...........................no................. Just keep FlashGet uninstalled.

OK, Flashget (and JetCar, for some reason) are uninstalled. There are certainly files left behind in the "Program[me] Files\Flashget" folder. I couldn't say if ought remains in the registration database but I doubt I'll need more than one guess

You cannot guarantee protection of all types of attack...it's a impossibilty and if this really has you worried too much then you need to sell the computer and use other means communication because it ain't happening...........................that said, you do realize that you were protected right?... and that the trojan would have been detected if it executed? ......................sorry, please forgive this arrogant moderator, his ego needs it!

If only I could remember my cuneiform - happy days!

I take your point about execution. Would that apply even to a trusted application, of which this inapp#.exe would be considered part?

Instead be happy that you chose Kaspersky, it's a serious anti-virus and have been for a very long time.

No arguments there; long may it continue thus!

Coping with moronic (Hi there!) users must be very stressful. I couldn't do it even if I had the nouse

[Baz^^]

The downloaded .exes would not be trusted....because they aren't flashget files

[LittleMonster]

The downloaded .exes would not be trusted....because they aren't flashget files

Sorry to take so long replying.

Thanks for that reassurance. So all is now well and I just need to keep an eye on Flashget's website for when they fix the loophole and I can have a download manager again

Thanks again, everyone

[Don Pelotas]

Sorry to take so long replying.

Thanks for that reassurance. So all is now well and I just need to keep an eye on Flashget's website for when they fix the loophole and I can have a download manager again

Thanks again, everyone

Or use another free one like LeechGet or others, but do you actually need one...?

[LittleMonster]

Or use another free one like LeechGet or others, but do you actually need one...?

I used to try to listen to BBC7 over the web but got fed up with the scrambling you get when traffic is heavy. Flashget would download almost perfect copies either overnight or in the early afternoon that I could listen to whenever. The BBC altered something last year that prevented this from working satisfactorily so, reluctantly, I have had to give up on that. I have used it once or twice since for html downloads but I suppose you are quite right and it isn't really necessary for that.

I'm having some fun and games now with internet access being repeatedly blocked. No reason is given in any popup and access returns (albeit briefly) after a reboot. I'll have a trawl around the forum, when I feel up to it, and see if that has happened to anyone else. It's not the first time access has been blocked like this but now it is being persistent about it!

I have, for example, had to reboot while composing this message!