Trojans being installed by uTorrent????

[Forester12]

ok I love uTorrent cause it is better then all the other ones but just recently I have been having lots of problems with it.

I have been noticing 3 files poping up alot and they only come back onto my pc when I run utorrent. these files are ndt2.sys, Perfs.exe and indt2.sys .... all located in the windows\system32 dir

Now I have done my own testing with various spywares and even on my own, and even tried this on a totally clean pc installed from scratch. the pc runs clean for days, reboots great, no problems at all. but within an hour of starting uTorrent, these files appear. One of the tell-tales is that you will hear what sounds like someone clicking on weblinks coming from your speakers. that is easiest way. another thing I noticed is that your files will start randomly being corrupted and let me tell you that is a pain to anyone.

So I do hope that the programs at uTorrent can fix this problem asap and so you know, I did download the install directly for utorrent site.

[jewelisheaven]

... no exe downloaded from utorrent.com has spyware or added programs of any kind. If you downloaded the exe from somewhere else I'm sorry but you should alert the site and download utorrent.exe only from utorrent.com. Also I would check your PC again with a better scanner and use google search for more information on said rootkit. Internet worms are a bitch. Can I ask what internet browser you use?

[Firon]

Our exes are not infected. Your system was already previously infected (which in turn infected the ut exe), or you downloaded something else that was.

You should probably reinstall Windows.

[Forester12]

Hey jewelisheaven, I am using Firefox and I did use 3 different scanners on my infected pc and yes even one of the scanners did say uTorrent was a Trojan. and like I mentioned in first post, I did get utorrent from the main site.

and Firon, I understand that you want to protect utorrent, I love it also, that is why I don't understand how this is happening. as I stated in the first post, I did reinstall windows on a different pc. and it ran clean, then I got and installed new uTorrent and that is when said files appeared on it also.

just a thought, cause I do believe uTorrent is clean, but maybe a hacker/hacking program/hacking torrent is getting through a hole in uTorrent to plant these files??

[Firon]

If that were the case, there'd be more people.

But no, it's almost certainly malware you got elsewhere. It also comes from a rootkit, so regular AVs will not find it. AVG has a root kit detection app, and there's also rootkit revealer.

[ajones81]

For simple malware, try an online scan such as the Panda one. If you suspect it's a rootkit, give IceSword a shot too. However, you better know what you're doing, or else I'd recommend you simply backup, format and reinstall Windows as Firon said.

Also, which POS scanner calimed uTorrent was a trojan? Maybe it was one of those fake antispyware programs...

[Forester12]

ok just testing something right now and will let you know results.

as of this mornings post, my pc has been running clean and just got home and has been connected to internet all day running my normal stuff. I have just started uTorrent and am going to wait and see. I have only one torrent running right now also.

I was talking to someone else that has experienced simular problem when using IRC ... believes it maybe people dumping it across uTorrent via a "social function" is there any functions in uTorrent that would allow this to happen? (would this DHT network allow for that?) and if so, how would I turn this option off and I will test it again to see if still happens.

for the record my main spyware using right now since it picks up these files the fastest is from http://www.superantispyware.com because they pick up the rootkit too but I have went to www.ca.com and used thier online detection also and they gave same results.

And I have reinstalled windows already from total clean install (fdisk HD, then formated it, installed and updated windows (all patches) got and installed only new drivers from correct sites, installed my programs from their install disks and updated them)

-----

Ok just to give an update and sorry for the long delay, had some real work to do tonight on my pc and then got caught up playing an online game with friends. but anyway, here is what I found, and first off like I mentioned I had only 1 torrent running, and it only had 2 seeders and maybe half dozen leechers (knew that would take forever) so I did for testing purposes, went out and grabbed two of the biggest seeding torrents I could find with about 4k seeders and almost that many leechers. within 15 minutes, boom my spyware went off. I cleaned and tested again and it went off again.

and now keep in mind, all day my pc was clean and even when playing my game was no problem at all. And I still believe uTorrent is clean too. So now I would like to know, is there "social function" on uTorrent I can turn off and does DHT work like a social function cause if it does, I will try turning that off and see if I still get these trojans.

On plus side though, my pc hasn't run this fast in ages after I reinstalled from scratch.

[ajones81]

No idea what you mean exactly by 'social function', or how it might be used to push trojans via uTorrent. :/ Do you mean this, in which case it's a people problem rather than a uTorrent problem, and something we probably can't help you with here.

My 2 cents? One of those two torrents (maybe both?) had infected files. As a test to convince you, try this: Make sure your system's clean. Make sure uTorrent's running fine (possibly try with a fresh/encapsulated install). Now try a torrent from http://distribution.openoffice.org/p2p/ or http://www.slackware.com/torrents/ and see what happens.

I'll be darned if you get spyware in those torrents. And if your anti-spyware util does flag any of those two as infected, I'd highly recommend you get rid of that crappy program ASAP and get something better.

P.S. DHT (Distributed Hash Table): A distributed tracker that works similarly to a regular tracker in that you announce to it and get back a list of peers that are transferring the same .torrent file as you. Because DHT is distributed, there is no single point of failure, so even if a single node disconnects from DHT, the tracker will continue to work (unlike with normal trackers, where if the server goes down, it becomes unusable). DHT can be thought of as a backup tracker.

[Forester12]

ajones81, first off, I love that link you provided for "social functions" that was a good read and very interesting indeed. and very simular to what I was referring to. where since programs like uTorrent deal with p2p interfacing and data exchange there was/could be a chat function to send msg's and or other files/links. I know most programs have removed these options do to the transfers of non-wanted files and for most part for ppl when they install the original program, the option to auto-recieve files from people you are already recieving data from was ok.

Also I already know openoffice link works great and is clean 'cause I use that program and that is the link I use to get updates or give to friends who want to use after seeing me use it.

But I think you might have hit it the hammer on the nail or very close to it. first off so you know, when I do recieve these files unknown to me, the torrents are not even done dl'ing. and I don't execute any unzip, exe, etc. they just appear in system32 dir while still dl'ing. so if it was the files themselves being dl'ed I wouldn't see till after they was done and I had opened them.

[ajones81]

First of all Forester12, uTorrent has never had a chat function and going by the sheer number of times it's been rejected, probably never will. So, there is no way IMO for a social engineering attack to take place with uTorrent. Also, you do realise after reading that link that a social engineering attack would imply that you were the one conned into doing something? If so, again I don't see how uTorrent can be at fault here.

Finally, you say those files are created in the Windows\System32 dir. while uTorrent's running? If you're not downloading to that very same dir. (I hope not at least!), there're only two ways IMO that something like that could happen:

1) You downloaded some malware and it was executed (by you or someone else, maybe inadvertently) and dropped its payload into the aforementioned dir.

2) You already have malware infecting your PC and it downloads more crap from the net to replace the files you deleted from the aforementioned dir.

Can you download this tool and run a full scan on your system?

In any case, uTorrent installs no trojans, period. What you choose to download with it though, and which suspicious sites you do it from is completely your responsibility. If you want help in cleaning up your computer, check out a site like this.

P.S. You said you've used the OpenOffice torrents before, but nothing regarding whether those files popped up while OO was downloading too in uTorrent?

[Forester12]

well I am going to admit it and say I was totally wrong and thank goodness as I love uTorrent.

after much searching and sniffing I found the problem and it was just a coincidence that problems would seem to happen when uTorrent was running.

The problem was in the systems32 dir and the file is called "routing.exe" Most scanners will not see this file for what it is, but I also have a cut and past the last time this bugger will ever run on any of my pc's .... I really hope this will help out alot of others there. Also, if anyone knows how to report that IP address, please feel free. I have already put it on my bad list

2008-01-08 19:11:00 SetLastRunTime

2008-01-08 19:11:00 waitsec:30, Start ....

2008-01-08 19:11:30 GetFileServer()...

2008-01-08 19:11:30 g_s_trF_ileS_e@rver:74.54.89.66/jsp

2008-01-08 19:11:30 D_load_ing....:http://74.54.89.66/jsp/2.0/ver.txt

2008-01-08 19:11:31 D_load OK:http://74.54.89.66/jsp/2.0/ver.txt

2008-01-08 19:11:31

ver.txt:

perfmonss.exe=2.0.0.4

wmiprves.exe=2.0.1.101

discover.exe=2.0.0.32

2008-01-08 19:11:32 strR@emotePer_fmons_sVer:2.0.0.4 str_L_ocalP#erf@mo_nss_Ver:2.0.0.4

2008-01-08 19:11:32 strRe#moteWmiprv_esV_er:2.0.1.101 st@rLo_calWmiprve_sVe_r:

2008-01-08 19:11:32 strRem!oteI_E_C_PCVer:2.0.0.32 str@Loca_lI_E_CP_CVer:

2008-01-08 19:11:32 isNeedUpdateForPerfmonss=0 isN_eedUpdateFo_rWmip_rves=-1 isNeedUpdateForI_E_C_P_C=-1

2008-01-08 19:11:32 D_load_ing....:http://74.54.89.66/jsp/2.0/wmiprves.exe

2008-01-08 19:11:33 D_load OK:http://74.54.89.66/jsp/2.0/wmiprves.exe

2008-01-08 19:11:33 D_load_ing....:http://74.54.89.66/jsp/2.0/discover.exe

2008-01-08 19:11:34 D_load OK:http://74.54.89.66/jsp/2.0/discover.exe

2008-01-08 19:11:34 R@un_A_D_C_lient....

2008-01-08 19:11:34 g_strRando@mExeNameAndPathForAD@Client:C:\WINDOWS\system32\ndt2.sys

2008-01-08 19:11:36 R@unA@DC_lient ok!total:19:11:34-19:11:36=2sec,

2008-01-08 19:11:36 strLastDate=,strCurrentDate=20080108 Process completed!

2008-01-08 19:11:36 rtl_r_ver:2007.12.28

2008-01-08 19:43:02 CurrentDate:20080108 LastDate:

2008-01-08 19:43:02 Judge Today is First Do...

2008-01-08 19:43:02 r,sleep(1000*60*30);

2008-01-08 20:15:19 CurrentDate:20080108 LastDate:

2008-01-08 20:15:19 Judge Today is First Do...

2008-01-08 20:15:19 r,sleep(1000*60*30);

If you have Routing.exe I would suggest stopping it and deleting the file, as well do a search for "routing" on your pc and removing its backups. then do a search for the other files it tried and possibly did download and remove those. but those ones would probably be detected by most scaning programs. and if you are good, remove the startup command in registry, but do "save point" first.

but once again, I am so sorry and appologize for even thinking that uTorrent was involved with or allowing others to pass trojans through.

[crazyani]

Been more than 2 years (I've used it for more than 2 years too, it's a great program)

But... today (right now)

I got the same problem as this 2 years ago... (it's a completely different "trojan"....)

It's named:

C:\WINDOWS\system32\ernel32.dll

Trojan horse Generic18.BBXI

What exactly is this?

It pops ups every time I open utorrent...

I even uninstall and reinstall... but it still pops up...

[DreadWingKnight]

Probably to do with something you downloaded.

[Firon]

That has nothing to do with µTorrent. You got malware from something you downloaded.

[crazyani]

So... it has nothing to do with µTorrent... but... what exactly is it?

And how do I remove it... cause it pops every time I opens µTorrent, so I am afraid to use µTorrent right now...

[paintball9]

Depends on the type of malware, But your first step should be to do a virus scan and see if you can just clean it with an AV software of some kind.