Beware of the .scr files

gaymertr

This has happened to me like 5 times already, someone is uploading torrents that look like genuine uploads with file names, pictures, and file size-wise but if you pay attention you will realize that the file extension is .scr, which corresponds to windows screen saver. These are obviously contaminated. I suggest everyone pay attention to file extensions before opening the downloaded files and installing Eset Nod32, while the previous antiviruses I used failed to detect the malware, Eset deleted the file as soon as download was finished.

Also, I'm wondering what actions are being taken by staff when something like this is spotted. These fake uploads just keep popping up. Do you straight ban the user? Would it be possible to block .scr files from being uploaded and resolve this completely?

Below you can find scan logs from two torrents I came across.

Object;Detection;Action;Information;Hash;First seen here
G:\Vuze Downloads\Macho Factory - Caballeros X - Andy Onassis, Xavi Garcia, Joe Gillis, Leo Grin.scr.az!;a variant of Win32/Packed.Themida.HJS trojan;deleted;Event occurred on a file modified by the application: C:\Program Files\Vuze\Azureus.exe (C3D1B2E54AF7FD9A13C4CF5A96FA2750AE10ED79).;E0E27A9DCF774A62BEE380D94031BCF8DEA8DFAC;
G:\Vuze Downloads\Macho Factory - Caballeros X - Andy Onassis, Xavi Garcia, Joe Gillis, Leo Grin.scr.az! » MPRESS;a variant of Win32/Packed.Themida.HJS trojan;deleted;;D25E338B4786E2702819DED4941557F81F73D964;

Time;Scanner;Object type;Object;Detection;Action;User;Information;Hash;First seen here
5/21/2020 1:21:18 AM;Real-time file system protection;file;G:\Vuze Downloads\The Gay Office - Bus Stop Flirting - Phenix Saint and Tommy Defendi.scr;a variant of Win32/GenKryptik.EKXD trojan;cleaned by deleting;Event occurred on a file modified by the application: C:\Program Files\Vuze\Azureus.exe (C3D1B2E54AF7FD9A13C4CF5A96FA2750AE10ED79).;C4D7B97EE30A07FB074981F0CF7E5D008BF72180;5/21/2020 1:20:50 AM

raphjd

Members need to report things like this using the torrent's REPORT button.

lololulu19

@gaymertr:

This has happened to me like 5 times already, someone is uploading torrents that look like genuine uploads with file names, pictures, and file size-wise but if you pay attention you will realize that the file extension is .scr, which corresponds to windows screen saver. These are obviously contaminated. I suggest everyone pay attention to file extensions before opening the downloaded files and installing Eset Nod32, while the previous antiviruses I used failed to detect the malware, Eset deleted the file as soon as download was finished.

Also, I'm wondering what actions are being taken by staff when something like this is spotted. These fake uploads just keep popping up. Do you straight ban the user? Would it be possible to block .scr files from being uploaded and resolve this completely?

Below you can find scan logs from two torrents I came across.

Object;Detection;Action;Information;Hash;First seen here
G:\Vuze Downloads\Macho Factory - Caballeros X - Andy Onassis, Xavi Garcia, Joe Gillis, Leo Grin.scr.az!;a variant of Win32/Packed.Themida.HJS trojan;deleted;Event occurred on a file modified by the application: C:\Program Files\Vuze\Azureus.exe (C3D1B2E54AF7FD9A13C4CF5A96FA2750AE10ED79).;E0E27A9DCF774A62BEE380D94031BCF8DEA8DFAC;
G:\Vuze Downloads\Macho Factory - Caballeros X - Andy Onassis, Xavi Garcia, Joe Gillis, Leo Grin.scr.az! » MPRESS;a variant of Win32/Packed.Themida.HJS trojan;deleted;;D25E338B4786E2702819DED4941557F81F73D964;

Time;Scanner;Object type;Object;Detection;Action;User;Information;Hash;First seen here
5/21/2020 1:21:18 AM;Real-time file system protection;file;G:\Vuze Downloads\The Gay Office - Bus Stop Flirting - Phenix Saint and Tommy Defendi.scr;a variant of Win32/GenKryptik.EKXD trojan;cleaned by deleting;Event occurred on a file modified by the application: C:\Program Files\Vuze\Azureus.exe (C3D1B2E54AF7FD9A13C4CF5A96FA2750AE10ED79).;C4D7B97EE30A07FB074981F0CF7E5D008BF72180;5/21/2020 1:20:50 AM

any upload that contains an SCR, ISO, WMV, EXE, COM, BAT, MSI, RAR, or ZIP file should have a warning put on it.  All of them can hide malicious malware inside of them.  Nobody even uses screen savers anymore, so there is no good reason for SCR files to exist. Anybody posting an SCR file should have all their previous uploads "examined"

eobox91103

@lololulu19:

Nobody even uses screen savers anymore, so there is no good reason for SCR files to exist. Anybody posting an SCR file should have all their previous uploads "examined"

Unfortunately, .scr also stands for a Windows script file–meaning it's essentially an executable file (like .exe) but it will bypass most anti-virus checks or even a dialog box asking "Do you really want to run this file?"  They are super-dangerous and downright malicious.  People who upload these should be permanently banned from the site.

In an ideal world, the gt.ru software would block any torrent containing such files--but I can imagine that putting in a patch like that would be time consuming and risky.  Software is often like a house of cards:  Fixing one piece of it can have disastrous results on the rest.