15 August 2007

FileDownloader V1.24 and all Versions before - Hijack Web Browser UA string!!!

(used by Vanix.Net and others...)

User Agent string like: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.7pre) Gecko/20070815 FileDownloader - Build ID: 2007081504

I did try first to search for a Hijacked LSP to fix it, WinSock fix etc... to point it out here, but the answer is in a replaced prefs.js file in Profile folder by Mozilla Firefox to find.

Thanks to Mr.x from FileDownloader Net (http://filedownloader.net/)

Users of his program called FileDownloader fdn.msi (http://filedownloader.net/fdn_download/download.php)

browse after install the web with branded Webbrowser
Firefox, Internet Explorer and others:

Code snip from file: FDN.exe 1,48 MB (1.553.408 bytes)

10CFD0 4D 6F 7A 69 6C 6C 61 5C 46 69 72 65 66 6F 78 5C Mozilla\Firefox\
10CFE0 50 72 6F 66 69 6C 65 73 5C 00 00 00 FF FF FF FF Profiles\...
10CFF0 03 00 00 00 2A 2E 2A 00 FF FF FF FF 08 00 00 00 ....*.*. ....
10D000 70 72 65 66 73 2E 6A 73 00 00 00 00 FF FF FF FF prefs.js....
10D010 28 00 00 00 4D 6F 7A 69 6C 6C 61 20 46 69 72 65 (...Mozilla Fire
10D020 66 6F 78 5C 64 65 66 61 75 6C 74 73 5C 70 72 65 fox\defaults\pre
10D030 66 5C 66 69 72 65 66 6F 78 2E 6A 73 00 00 00 00 f\firefox.js....
10D040 FF FF FF FF 1F 00 00 00 67 65 6E 65 72 61 6C 2E ....general.
10D050 75 73 65 72 61 67 65 6E 74 2E 65 78 74 72 61 2E useragent.extra.
10D060 66 69 72 65 66 6F 78 00 FF FF FF FF 03 00 00 00 firefox. ....
10D070 22 29 3B 00 FF FF FF FF 04 00 00 00 22 2C 20 22 ");. ....", "
10D080 00 00 00 00 FF FF FF FF 0E 00 00 00 46 69 6C 65 .... ....File
10D090 44 6F 77 6E 6C 6F 61 64 65 72 00 00 FF FF FF FF Downloader..
10D0A0 2E 00 00 00 75 73 65 72 5F 70 72 65 66 28 22 67 ....user_pref("g
10D0B0 65 6E 65 72 61 6C 2E 75 73 65 72 61 67 65 6E 74 eneral.useragent
10D0C0 2E 65 78 74 72 61 2E 66 69 72 65 66 6F 78 22 2C .extra.firefox",
10D0D0 20 22 00 00 FF FF FF FF 12 00 00 00 3B 46 69 6C ".. ....;Fil
10D0E0 65 44 6F 77 6E 6C 6F 61 64 65 72 22 29 3B 00 00 eDownloader");..
10D0F0 FF FF FF FF 3F 00 00 00 75 73 65 72 5F 70 72 65 ?...user_pre
10D100 66 28 22 67 65 6E 65 72 61 6C 2E 75 73 65 72 61 f("general.usera
10D110 67 65 6E 74 2E 65 78 74 72 61 2E 66 69 72 65 66 gent.extra.firef
10D120 6F 78 22 2C 20 22 46 69 6C 65 44 6F 77 6E 6C 6F ox", "FileDownlo
10D130 61 64 65 72 22 29 3B 00 55 8B EC 53 56 57 8B F9 ader");.Uï8SVWï·


Result: Websites such as Web counter, Forums and others means you are a bot. You get for example by a "enhanced" VBulletin board a security Message as well other website scripts as soon you visit.

Looks like this:
Sorry for the inconvenience!
Entschuldigen Sie bitte diese Unannehmlichkeit!
Obviously your access to this site has been suspended by mistake.
Offensichtlich wurde Ihnen der Zugang zu dieser Site fälschlicherweise verweigert.

By solving the arithmetical problem you can visit this website temporarily.
Durch Lösung der Rechenaufgabe können Sie diese WebSite temporär besuchen.

(2 * 5) × (–1) result: =


Please tell us here to remove the lock restriction:
Bitte melden Sie sich hier um die Sperrung aufzuheben:
Complaint Board
Beschwerde Forum


other extensions such as Roboform will be disabled and much more!!!

Solution for Mozilla Webbrowser:

goto Profile folder,
edit prefs.js,
find: user_pref("general.useragent.extra.firefox", "FileDownloader");
delete this line!

duno how in IE (normally used Windows Registry for UA string) and if Opera is concerned with it.
After all IE force me to visit by start this page once: http://en.sergiwa.com/modules/mydownloads/singlefile.php?cid=2&lid=6

Extracted Installer files in attachment: fdn.7z (1006.69 KB)
(don't click the file fdn.msi or FDN.exe if you don't want to edit the "new" UA extension in your webbrowser back to the normal one!!!)


...14h later
after restore Mozilla Webbrowser settings I realize that the Firewall Filter driver have been disabled. Every try to reinstall the firewall failed. Firewall is permanent off in error mod. The legitim Product Activation from some applications include AV subscription (ESET, Agnitum, Kaspersky...) and Windows Genuine Product Key are suddenly invalide. Stolen? The OS is on that system unusable after try to recover cause all backups are injected with it. I cant read binary code before this part above but since 1983 my very first computer Comodore C64 I never seen an application what can do such disaster and destroy Windows unrecoverble.

4 comments:

Post a Comment

We would appreciate if you as readers of our blog, show us some feedback by signing up to this site with Friend Connect.
This will encourage us to publish updates in the future.

Archive

Dentoo.info - Hosting - Offering seedboxes and seedbox solutions

Connect

MoDs - BRD Push 2 Check Projects News all on one Page
Subscribe to rss feed! Powered By Blogger Creative Commons —
 Attribution-Noncommercial-No Derivative Works 1.0 Generic
GFC Accessibly Test

Site Stats Public Google Analytics stats

We respect your privacy. Your email address will never be shared with others.

My IP Address