Sometime around October 2005 we checked CNET's Download.com listing for Shareaza and discovered the download link had been changed from Sourceforge to some website we had never heard of. Fearing that it was a malicious program we had the link changed back. Then sometime in November or December 2005 the link changed again so it had to be changed back to the correct download locaiton again. When it happened the second time C|Net was told to either guarantee that the download location would never point to anything except Sourceforge or to remove Shareaza permanently.
The link on CNET's Download.com has been changed once again. This time I decided to investigate exactly what that download was. Using innounp I got all the files that were contained in the installer and the installation script that places/executes those files as necessary. I found one file out of place: regchmv.exe with the following installation procedure:
Source: "{tmp}\regchmv.exe"; DestDir: "{tmp}"; Flags: uninsneveruninstall deleteafterinstall dontcopy
It's the only file that is being sourced from {tmp} and being installed to {tmp} so it stands out quite obviously. Then you look at the flags and see "neveruninstall", "deleteafterinstall", and "dontcopy". It's probably pretty rare that there's a legitimate use for all 3 of those flags for the same file. So regchmv.exe is our culprit. But what is it?
A Google search reveals only one hit for "regchmv.exe" and that points to SiteAdvisor. But that record is for the previous times the link was changed. It's interesting to note that only the prefetch residue was found by SiteAdvisor presumably because regchmv.exe was destroyed by the Inno flag above (deleteafterinstall). So it appears the same person has changed the link at least twice and they've used two different servers.
Upon further investigation I discovered that regchmv.exe is an NSIS installer. So using 7-zip I extracted the files out of the installer. It copies "FindProcDLL.dll" to $PLUGINSDIR, "3029instlog.log" to $TEMP, and "vgraph.dll" to $WINDIR. FindProcDLL.dll is a plugin for NSIS that is used to find a process by its name. "3029instlog.log" contains the following cryptic contents: "2005/////i////iii//". "vgraph.dll" is the actual malware that we were looking for. It integrates into IE as a BHO. What it does exactly I'm not sure but many anti-spyware programs seem to have signatures for it.
According to CNET's policy (Adware, Spyware, and Practices That Thwart User Control) they don't allow software to be uploaded to Download.com if it contains "components, such as spyware and adware, that might interfere with a user's control and privacy". They then link to a site explaining how they test for this malware. They claim to be using at least five different programs to identify this malware and yet none of them detected it. Is an installer bundled inside of another installer too advanced for these programs to figure out? Did CNET even scan the file before allowing it to be linked to? Why did CNET allow the link to be changed from Sourceforge in the first place?
If you have a listing on Download.com I recommend you watch it very closely to make sure someone isn't changing your listing to point to a location of their choosing and potentially infecting your users/customers with malware, tainting your image and leaving you to clean up the mess.