Trojan Deletes Your Porn, Music & Warez

E. Vigilant writes "The new Trojan/Erazor-A has an interesting twist. In addition to deleting or disabling various security products and competing malware, it deletes any porn, warez and music in your P2P directories. While some opine that this trojan might have good intentions, remarkably few things infect the text files this trojan also deletes. No one yet knows who wrote this or why."

Altruism? I have my doubts...

[TripMaster Monkey]

From TFA:

The assumption is that because the Trojan is only deleting certain file types in specific download directories used by P2P programs -- one of the main sources of inadvertent malware infection -- it is attempting to protect those it manages to infect.

Well, that's a remarkably stupid assumption.

What's more likely?

1. The Trojan was designed to protect users from malware by deleting contents of P2P directories,
     - or -
   
2. The Trojan was designed to strike a blow against P2P file sharers deleting contents of P2P directories.
   

Let's analyze who benefits from each scenario:

1. No one benefits, since the 'benefits' of having files that might be infected with malware deleted is more than offset by the security problems introduced by the deactivation of antivirus software, as well as the inadvertent deletion of many innocent files. Also, the Trojan writer, (in this scenario, a "Robin Hood" type character), receives no benefit other than a warm fuzzy feeling.
   
   
2. RIAA, MPAA, and various software companies all realize tangible financial benefits as illegal file sharing is dealt a serious blow. Also, the Trojan writer, (in this scenario, a mercenary for hire) takes home a nice fat paycheck for a job well done.
   

I pick avarice over sloppily executed altruism any day. I find it intriguing that this alternate explanation apparently didn't even occur to PC World.

Slashspin

[eldavojohn]

First off, this article is pure bullshit spin. They mention several points about a virus and the whole time they attempt to spin it the reader as a "good intentions" virus--even comparing it to Charles Bronson. The Slashdot title reads "Trojan Deletes Your Porn, Music & Warez" but it doesnt, if you RTFA:

The Windows Trojan/Erazer-A Trojan looks at default folders for downloading MP3, AVI, MPEG, WMV, Gif, Zip graphic and video files, and wipes anything it finds with these extensions in the target locations.

Gosh, I have plenty of MP3, AVI, MPEG, WMV, Gif, Zip graphic and video files ... that aren't porn, illegal music & warez.

What they fail to mention is that people who use P2P networks often want those files that they've collected. So this virus is destroying something they want.

I mean, who installs eMule or Bit Torrent and then wishes that one day someone would come and save them from the files they've downloaded? The very idea is ludicrous.

I use Bit Torrent. If a virus were to come and delete everything I've gotten from it (trailors, WoW patches, an odd assortment of legal videos and mp3s, etc), I don't know about you, but I would be right pissed. This isn't protection and it doesn't seem to discriminate from virile files and good files so it's pure and utter destruction.

The only thing "beneficial" is seen from the eyes of the RIAA or MPAA.

"I don't think this was written with good intentions because it attempts to turn off security," said Cluley. There would be nothing more dangerous than for people to become accustomed to the idea of "beneficial malware" because that might create a false sense of security.

You "don't think" this was written with good intentions? A virus comes onto your machine, disables security & starts to delete files in directories with a certain naming convention. What more to do you need to say, "holy hell, I've got a freaking virus!"?

Finally!

[Whiney Mac Fanboy]

*Applauds*

Finally a threat that will make the average joe start to take computer security seriously! I look forward to a safe internet for everyone (I mean as soon as a few botnet node owner's loose their porn, peole will actually clean up their boxes!)

On a more serious note, quoting the pcworld article:

The Windows Trojan/Erazer-A Trojan looks at default folders for downloading MP3, AVI, MPEG, WMV, Gif, Zip graphic and video files, and wipes anything it finds with these extensions in the target locations.

The assumption is that because the Trojan is only deleting certain file types in specific download directories used by P2P programs -- one of the main sources of inadvertent malware infection -- it is attempting to protect those it manages to infect. [emph mine]

WTF? How could anyone think that it's to attempt to protect users when it doesn't delete executables from p2p folders? (for an interesting overview of real "white hat worms" see this vnunet article [vnunet.com] and the slashdot discussion on the blaster removal worm) [slashdot.org]

This worm is clearly to scare people away from p2p - not protect them from other p2p malware.

What's the bet that one of [riaa.com] the companies [mpaa.org] that make oodles of money [apple.com] from content [bpi.co.uk] are behind this?

Re:Altruism? I have my doubts...

[Joebert]

What about the third scenario ?

3) Virus writers stage this to make it look like the RIAA, MPAA, ect, are "pulling a Sony" in an attempt to pull a classic "Throw a rock at the bee hive the ranger is standing next to so BooBoo can grab the pic-a-nic basket".

+1 you insensitive clod

[Anonymous Coward]

Christian virus? Why not call it a right-wing virus, a "family friendly" virus, a RIAA/DMCA virus, a "muslim" virus, a "white hat" virus, or a whole slew of other groups that might find illegal software, illegal music, or pornography offensive?

Or could it just be someone writing a trojan who wants to hit his own particular enemies, or buddies, where it hurts?

At least think before you post, you insensitive clod of a troll. :P

Re:Altruism? I have my doubts...

[WidescreenFreak]

I agree with you very infrequently, but this is one of those infrequent times. Either someone who is good at coding is on a major "hoiler-than-thou", ethics spree or this is the result of a bigger source hiring this person. I completely agree with you on the latter.

But on the other hand, this is not necessarily a bad thing for the rest of us. Most of the people who would be come infected by this - and consequently lose all of their P2P data - are probably Joe User types who don't know any better. So, this might -- I stress might -- actually be a benefit in even minimal ways:

• Fewer people for the RIAA to sue because their files got wiped out (then again, I like seeing them demonize themselves)
• Fewer excuses to claim that P2P is taking away oh-so-much estimated revenue (see above statement about self-demonizing)
• Likelihood of poisoned files getting wiped out also
• Those who get smacked with it might actually learn something about this trivial thing called a "virus scanner"

I list the above points with a bit of sarcasm, of course, because I doubt that this will really have any impact on the above. But I don't doubt that the last item will come into play very often, which could actually be better for the rest of us overall.

Ain't the first trojan to act like this

[Opportunist]

The only "real" news is that it deletes the content of P2P folders (ok, not really "new" either but at least far from usual).

That a trojan kills other trojans is hardly news. About a year ago two groups actually led a battle where one group tried to stab the other group's trojans (and vice versa) with their updates. Some trojans also use the names other trojans use to ensure those trojans can't install after they're already in. Makes detecting them correctly (i.e. as a different beast, not a new version) not really easier.

Almost every trojan today has some anti-anti-trojan functions. Killing Kaspersky, McAfee and Norton AV is more or less a standard feature of most current Trojans, so I wouldn't really call that news either.

The only outstanding feature that's hardly common is the deletion of incoming P2P objects. Which makes one wonder who ... well, cui bono?

Translation please..

[JamesTRexx]

remarkably few things infect the text files this trojan also deletes.

Ehmm... What?

Re:Altruism? I have my doubts...

[casings]

Yea, like the RIAA and the MPAA are going to release a virus on the public, which could cost them billions, look how well that turned out for Sony...

In actuality it was probably just some stupid kid who, and probably rightfully so, thought the only thing of any value to anyone on their computers are either text files, or have downloaded from some p2p or similar site.

Honestly if you were looking to cause the most damage to anyones computer, it would be to strike at their heart, their downloaded music.

Avarice

[Mark_MF-WN]

Avarice isn't too bad a theory, but I have trouble believing that the RIAA/MPAA could be so dumb. Sony is still in hot water over a badly designed piece of supposedly legitimate software. This is the kind of thing that could land people in JAIL. Suppose the virus gets onto a government computer and erases some legitimate files? What about a military computer? The US military has demonstratibly poor computer security. This could cause them huge problems if it got loose.

My theory is that this was made by someone who WANTS people to think that the RIAA made it, so that even more people will turn against them and take some heat off of P2P.

Re:Altruism? I have my doubts...

[Bogtha]

The first thing I thought was that it was well intentioned - in the long run.

The general public have demonstrated time and time again that they really don't care about security. They'll put up with their computer slowing down and crashing, they'll put up with random popup ads, they'll put up with their computer being used to spam people...

...but take away their porn and music? The virus seems to be designed to piss the computer user off as much as possible without actually causing any real damage or impairing the computer's operation. It seems to me that the virus writer did it to get people to take notice of viruses in future.

Removing virus vectors doesn't solve the problem in the long run. Ultimately, only education will do that. This is a form of education, a lesson that will actually sink in.

Re:Avarice

[Anonymous Coward]

I can't believe that you can't believe that they are so dumb!

Sony is still in hot water over a badly designed piece of supposedly legitimate software.

What hot water? They installed ROOTKITS on their music CDs, not "a badly designed piece of software." The software was well designed, it did exactly what Sony wanted it to. The rootkit was blatantly illegal, breaking several felony laws. You might want to see what happens to an American citizen who installs rootkits. [theregister.co.uk]

I don't see any Sony executives in prison for this, do you? I don't see any big fines or any criminal prosecution whatever.

Had some Sony execs gone to the slammer, or had Sony been forced into Chapter 13 I'd agree with you. But the Sony fiasco showed the **AA that they can do any damned thing they want, no matter how destructive or illegal, and not get in any trouble whatever.

No, this was either the RIAA, the MPAA, or more likely one of their members. My money says Sony is the criminal organization that did this. The rootkit fiasco showed that they are not above breaking the law, destroying private property, or shitting on their customers.

-mcgrew

Re:Finally!

[Mayhem178]

We can change that. All we need to do is modify this virus to delete *.doc, *.xls, and everything in the My Documents folder. Also, it should hijack IE, set his/her clock to January 1, 1900 (Y2K, anyone?), replace his/her desktop wallpaper with Goatse, and delete every link off his/her desktop and start menu.

That should hit Average Joe User hard enough to make them feel like they got raped by a train.

Re:Add option #4

[grub]

Hmmm... would the various anti-virus companies do something like this to advertise the need for their products on people who lose gigs and gigs of files to a trojan?

I was thinking the same thing, however, the bug actively kills a lot of AV processes. Advertising "Our Version X was killed by that bug, but Version Y is unbreakable!" doesn't instill confidence in the user.

Re:Avarice

[tbone1]

I have trouble believing that the RIAA/MPAA could be so dumb.

I don't. I've seen how dumb large organizations can be.

Re:Altruism? I have my doubts...

[mgblst]

look how well that turned out for Sony...
 
So what exactly happened to Sony - some bad press, that I only saw on the tv news once. Has anybody stopped buying sony gear? Has their share price dropped? Are they in court? No, no, no... so nothing has actually happened to Sony over this. Sure, we may hate them here and a few over places on the net, but most people don't care enough. I hated them before because of Atrac and their crappy software.

Re:Add option #4

[Chelloveck]

Even simpler:

4) Write a trojan to wipe out what people apparently consider to be important just because the trojan writer is a prick.

I can only conclude that people at PC World ain't

[SmallFurryCreature]

I can only conclude that people at PC World ain't got a clue about PC's. Since when can .avi .mp3 etc etc contain virusses or malware?

If it only deleted .exe .bat .com etc etc then I could understand the logic BUT deleting media files does not protect anyone.

They almost touch on the simplest explenation. Vigilante. Believe it or not but there are some individuals who feel they have a need to stop others from downloading via p2p.

They would be intrested in deleting any media files you downloaded via p2p. They would not be protecting you but making your (in their eyes illegal) activity worthless. So that explains why they delete harmless files.

It also explains why they try to disable security programs, yet another punishment. That way you are far more at risk from using P2P by being infected. The logic being that pirates do not deserve to be safe.

Vigilante seeking to punish p2p users. Not the RIAA and not some guardian angel. The RIAA would have to have some extremly bad lawyers to have allowed this and a guardian angel would only destroy files wich put you at risk and not disable security software.

Vigilantes have done stuff like this before. It falls in the same field as those "jezus loves you" posts in porn usenet groups. Or so I been told. Not that I would know anything about that offcourse.

Re:Altruism? I have my doubts...

[d!rtyboy]

The general public have demonstrated time and time again that they really don't care about security. They'll put up with their computer slowing down and crashing, they'll put up with random popup ads, they'll put up with their computer being used to spam people...

That is so true. I can't count the amount of people I've met that have weatherbug or whatever on their computer and I explain to them that it has spyware, then I remove it and the spyware. Then a day or so later, they're like, "WTF? You deleted weatherbug" and I find they've reinstalled it. People just don't care, and I don't expect to ever understand why.

Re:Altruism? I have my doubts...

[Zephyros]

...without actually causing any real damage or impairing the computer's operation.

Um, maybe it's just me, but I'd call disabling antivirus impairing the computer's operation. Yeah, sure, it's not installing a spam zombie client, but it is unlocking the door for someone who will...

Re:Finally!

[ajs318]

No. Your "Average Joe User", confronted with that scenario, will simply throw away his old, broken computer, go out and buy a new one, and then start filling that up with crap. And when that is thoroughly full of crap too, and slowing down and going to the wrong web site and crashing and files are going missing ..... rinse and repeat. Because going wrong is just something that computers do.

Mind you, smart skip-divers probably will benefit from this.

Re:Altruism? I have my doubts...

[Jeremi]

Then a day or so later, they're like, "WTF? You deleted weatherbug" and I find they've
reinstalled it. People just don't care, and I don't expect to ever understand why

People assume that anything that happens on their computer is visible in the GUI. Therefore if weatherbug doesn't pop up a requester saying "I'm spying on you now, please type something interesting", naive people will assume it's not doing that.

I suspect this misapprehension will change only through hard experience.

Re:Add option #4

[collectivescott]

That's a cute arguement, but you're missing the point. With file sharing, the record companies aren't deprived of anything when you download a song (discounting theoretical future sales). However, if someone deletes files off of your computer, you are deprived of your music. If someone broke into your computer and deleted your graduate thesis, I'd bet you'd consider that a crime. Probably vandalism rather than theft, but still a crime. The key point here is deprivation.

Re:Add option #4

[Kadin2048]

Huh? That doesn't make any sense, even in the way you're trying to use it.

If I copy your file, you have a copy, I have a copy. Nobody has lost anything. Therefore, it can't possibly be called stealing by most people's definitions.

If I copy your file and then delete the original, then I have it and you don't, that I think we can all agree, is stealing. Likewise, if it's on physical media which only one of us can possess at a time, and I take the physical media, then it's also stealing.

If I delete something without taking a copy, then it's not stealing, it's just vandalism or destruction of your stuff.

You are mis-stating the argument you're trying to make fun of (the "it's not physical so therefore not stealing") and so your parody falls flat. The fact that data isn't physical isn't the important part, it's the fact that nobody loses their copy in a typical "pirate" transaction. That's what differentiates it from "theft" in the minds of many people.

Personally, I think that unauthorized copying is not theft, but might meet the qualifications for wrongful conversion of property, if you take a wide enough definition of 'property.' (So as not to limit it to real property and chattels, but include the value of data as well.) See this page [lectlaw.com]. Normally it applies only to physical goods. At any rate, there are existing sections of law which are more appropriately applied to the reduction-in-value that occurs when data is unlawfully copied than theft and larceny.

Re:Altruism? I have my doubts...

[Politburo]

Weatherbug is what I call "functional spyware" in that it does provide a real function in addition to it's spying functions. Most spyware now fits this profile, but the original spyware, Gator, did not.

When removing functional spyware you must attempt to provide a replacement application that can do the same function. The user in your scenario can't be bothered to go to a website to get the weather, so you might want to try finding another weather tray tool. I don't know of any off the top of my head but there have to be several out there.

Furthermore, Weatherbug is a special case as they've managed to grow into a legitimate brand. The weather promo here on ABC in DC is the "Weatherbug Network". For the average user, something like that really legitimizes the software, whether it's deserved or not.

People just don't care, and I don't expect to ever understand why.

It doesn't sound like you're trying to understand. From what I can tell (2 mins on google), Weatherbug modified their program and it is no longer spyware.

Re:Avarice

[Esteban]

I have trouble believing that the RIAA/MPAA could be so dumb.
I don't. I've seen how dumb large organizations can be.

I worked for one of RIAA's lawfirms, handling antipiracy stuff in the late '90s, and while I wouldn't say they're dumb, by any stretch, they weren't very subtle, and they weren't very concerned with potential negative press. At least inside the office, there was a feeling of "we're defending the artists!" The concern seemed to be that people pirating music just didn't realize what they were doing. This view is still recognizable in those pre-movie spots the moral of which seems to be "Copying or downloading is stealing."

Re:Add option #4

[tbannist]

Most viruses/worms/trojans now exist to build a bot net for nefarious purposes. Assuming the analysis of this virus is correct and that it does not install a rootkit and/or bot the machine, then either the virus writer has a different motive for making the virus.

Now given all the scenarios suggested the most least unlikely alternative is that the person who wrote the virus is a jerk who simply seeks to destroy the files that other people spent time downloading. This type of asshat behaviour is certainly not uncommon or unexpected among the expected demographic of the virus writer, ie. young males with too much time on their hands.

Given that this was previously a common reason for releasing damaging viruses in the past, the current wave of professional viruses does not preclude the occasional amateur releasing his own claim to infamy.

To me, this appears to be the assumption that requires the least additional supposition.
It's not necessarily correct, but seems like the most plausible explanation, barring additional information.

Re:Add option #5

[wheany]

Of course he meant they're, he meant to use the possessive form. Possessive forms have apostrophes. Duh!