===================================================================== Booby-Trapped Shareware ===================================================================== last update: 22 Feb 2000 If the possible threat of being hit by a virus and

it's affects ranging from funny messages to total system meltdown isn't enough. There is a new threat on the horizon, or maybe not so new. History has shown that various authors have booby-trapped their software, sometimes to the point of corrupting data files, corrupting system files, or deleting files and directories from your computer. This is a worst case scenario and the resulting effects vary greatly. The following information is a list of software titles with the reported traps hidden within. This document is not intended to promote paranoia but to alert, educate and inform users about possible problems, and you might find some handy tips and other bits if info along the way. ==================================================================== - (*) Indicates new or updated info. - AcdSystems - (ACDSee, Pica View) As of ACDSee v3.0 & PicaView v1.32 the registration system has changed. They now have separate demo and retail version. You can no longer enter a serial into the trial versions, they need to be patched. You can however enter a serial in the new retail versions of the progs. After all the hype, ACDSee DOES NOT phone home. It includes a new updates checking feature which obviously does require net access. Also the recent virus warning about ijl10.dll is false, due to a problem with The Cleaner. Grab the latest version to fix it. Launching an image file from agent results in a new acdsee window each time, it is a bug in acdsee. - AddWeb Uses server authentication to confirm the users registration. The second time you use it, you will get a lovely message about using illegal software and that your IP address was recorded. - Advanced Administrative Tools Uses server authentication to confirm the users registration. - Advanced Zip Password Recovery (AZPR) Will only accept a valid key, uses a blacklist for pirate keys, if one is detected wastes CPU cycles without giving a solution. - Advanced Disk Catalog (ADC) Will only accept a valid key, uses a blacklist for pirate keys, if one is detected slowly corrupts its databases. Earlier versions had anti-SoftICE code in them, though the author later removed this.

The author of AZPR & ADC uses very strong encryption to protect his code, it won't ever be properly cracked. Alot of releases of these are not 100% however one group has released v1.30 with a working valid serial#. - AI Picture Utility From a recent Core release - blacklist for pirate serials, various hidden checks in each version release. - AntiViral Toolkit Pro (AVP) Bogus CRACKER.* trojan messages about many files, reported to falsely detect cracks and keygens as virii and corrupts them, this may only happen if you try to 'clean' the infected files. - Archiver Shell v6.3, as reported in a recent CORE release, causes system problems if a blacklisted name/serial is used. - Audio Grabber Phone's home with author's server, invalidates itself when you go online. Might screw up your mouse buttons too. This checking may only be connected to the CDDB feature. Search your C Drive for a file 'SLICKS.CNT' and delete it. Repeat if it invalidates itself again. Try another prog from http://www.cddb.com to perform cddb queries. Also try blocking the connection with a good firewall, Conseal or @guard. - (*) Aureate Is a company that places ads in demo shareware, http://www.aureate.com/devs-n-pubs/network_members.html Another part of this facility is also to track and report your browsing patterns. Try blocking port 1975 to stop the reporting. Most likely on C drive, look for a folder called amcdl, also look for filenames - htmdeng.exe, advert.dll, amcis.dll, amcis2.dll, ipcclient.dll, msipcsv.exe, xx2gr.dll (from GetRight). You may have any combination of these files. There may also be some keys in the registry under \HKEY_CLASSES_ROOT\Software\Aureate\ \HKEY_LOCAL_MACHINE\Software\CLASSES\Aureate\ You may have any or all of the files and registry entries listed above, it all depends on the software (demo or full version) you've installed that uses this stuff. Try moving the files to another place to disable them but some progs may require them to operate so do some testing before deleting them. - Bali Tools 2000 A Zor reader reports that this phones home. - Black Widow Was awhile ago now, afew got hit by 'something', denied by authors,

the particular version was pulled very quickly, has been reported to communicate with the author's server, also claimed to look for commonly pirated programs. - BlackIce Defender (from FOSI) - using the update check seems to cause program to GPF, making it unusable after this. The authors are blacklisting alot of serials, so if you try to download and update from their webpage and it won't let you, that's why. Recently a 'snitch' url was discovered, this is part of an upcoming feature of the prog and seems not to be to 'phone home'. v1.9.6 seems to have cleared up all the problems and confusion. - BSI Wavestation Later versions after v2.71X, would do severe system damage if it detected use of that keymaker: 1) Overwrites win.ini, system.ini, user.dat, and system.dat. 2) Overwrites user.da0 and system.da0 (registry backup files). This will render your system unbootable, and within seconds of doing this you will get a registry error message, prompting you to reboot. At that point it is too late. Incredibly, all those system files are backed up by the program (with different names, in the program directory) after it does this, so if you keep cool you can still restore your system. The ONLY version to consider safe is v2.71X, It has been disassembled and verified that no trojan horse code exists in it. - Bulletproof FTP Uses server authentication to confirm the users registration, opens your browser to a 'gotcha' page if invalid, repeatedly new serials are released for new versions, frankly don't bother, most if not all shared serials are cancelled by the author when they are eventually discovered. The last version that seems very stable is v1.15. - CD Wizard If you put the serial in wrong it might pop a warnimg saying 'We have detected a virus attached to your copy of CD Wizzard' or similar. - CdrWin Possibly the ONLY crack to trust is the one by 'GrandFather'. The Radium 3.7c release is another verified good version. At one point filled the hd with junk, another time deleted system files, ongoing double checking of the serial and if it fails burns coasters. There have been reports of it inserting garbage into the write stream as well. This means that only some files may have errors. This would make it somewhat difficult to detect for the average user. Doing a plain directory or filesize compare may not reveal any corrupt files. Use a crc validator or a binary file compare util on all images burned this. - ClipMate Opens your browser to a 'gotcha' page using blacklisted name/serial

v4.11 using a blacklisted name/serial might also make it crash Solution: Just delete the Registration Info from your Registry. (HKEY_CURRENT_USER\Software\Thornsoft\Clipmate5\Registration) - CloneCD New serials get blacklisted very quickly, make sure you use the correct serial with the version you have. It might appear to accept old serials but will burn dud cds. Goto HKEY_LOCAL_MACHINE\Software\The Silicon Realms Toolworks\ and delete the 'Armadillo' key for 10 more writes. AVP might report the installer is infected. This is a false positive but treat all warnings with care. Try unzipping the installer and scanning the files, should be clean. - Cool Edit 2000 Detects if you've had a previous cracked/pirated v1.2 on your system. It might Delete itself on this detection. Also seen mentioned that the CoolEdit MP3 Plugin does the same thing. - Copernic v4.0/4.1 - Using the built-in update feature results in the ad banner window returning. Try getting a newer version and do a clean install of it. Make sure you use a newer serial too. To remove the grayed out box and remove Advertisments go to Registery Editor. (HKEY_CURRENT_USER\Software\Copernic Techologies\Copernic4Plus\Preferences\) and remove the 'ShowAd' key. OR try, inside the 'ShowAd' key replace 0Xffffffff to 0X00000000 - CPUidle A Zor reader mentioned that AtGuard reports that this tries to establish an outgoing TCP/IP connection. To do what he doesn't say. - CuteFtp v3.xx, using cracks may make the program and your system become very unstable. As of v3.54 there are a few good cracks that contain a valid registry file. Apparently the program has multiple layers of key-checking and numerous self-integrity checks. See what the authors have to say. http://www.globalscape.com/support/cracks.html , http://www.globalscape.com/support/cracks2.html While the program may be reasonably protected by the registration system, CuteFTP's data files are protected by an extremely weak 'encryption'. The term 'encryption' is used very loosely in this regard as usernames and passwords in the 'tree.dat' (v2.x) and 'smdata.dat' (v3.x) are easily recovered. There is one other username and password combination that is stored as plaintext in the registry and CuteFTP's ini file. - CSE HTML Validator Phones home only when using the built-in update check. If you have used an invalid serial and try to update, it will then always try to phone home.

Solution: Just delete the Registration Info from your Registry. (HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\CSE3310) - DiskState v2.02 maybe others, seems to be a dupe file checking util. Saw a sketchy report that it fills the registry with CLSID's. This appears to be part of it's normal opperation. - (*) Download Accelerator To remove the ads find the 'Ads' folder and delete the image files, if they come back, delete them again. - Extractor Marketing Software - (Extractor Pro & Web Weasel) Phones home every time the prog is started. - Feurio v1.30, Careful with using Feurio 1.30 with the 'ciccio' code, Although it seems registered, it inserts a spoiler into a random track. It goes : "beeeeeep... illegal copy ... beeeeeep". - (*) FlashFXP Uses a blacklist for pirate serials, if you use a blacklisted serial the app contacts the author's website and pops threatening messages, it's not recommended using the update feature, tHE eGOISTE/Tmg has a good crack for it and eGO has a program that reads the blacklist. - (*) Firehand Ember Not sure of versions v5.93+ i think, pops a warning using a 'pirated' serial, damages system. After v3.8.6(?) there are separate demo and retail versions. - Folder Guard Uses blacklist for pirate names. - Fruity Loops v2.01, to enter serial - ctrl+shift+F2, reported as having 4 stages to the protection scheme, Basic, Full, TS404, a 'God' mode being the final, this 'God' mode has been reported as bogus. It appears that the download from the FruityLoops site is a CRIPPLED demo. Depending on the TMG keygen you have it may not work. TMG have also released a keygen for a FULL (non-crippled) FruityLoops. - Fruity Tracks v1.50, to enter serial - ctrl+alt+F9. The crippled problem with FruityLoops may also apply to this one. - FTP Voyager Serial is date dependant. Stops downloading files a few bytes before completion when using blacklisted name/serial.

- GameSpy Only use cracks by REBELS. Uses server authentication to confirm the users registration, forget about using keygens or serial#s alone. - Genius v2.6 on detecting a blacklisted serial pops up a little "you're using pirated software, etc." window and disables various functions. - Getright Uses a blacklist for pirate serials. Might try to bring up a 'gotcha' page. If it starts playing up... Goto HKEY_CLASSES_ROOT\CLSID\{F853B2C7-386A-11D3-A860-006097897A00} and delete 'ID' Goto HKEY_CURRENT_USER\Software\HeadLight\GetRight\Config\ and delete 'Window00' and 'RegistrationCode' or delete the number itself. Then try using another serial#. Gordon Production's software (ASCII-Help, Einstein, Home Project, KarCheck, PasteMaster)

Einstein maybe others, phones home and reports the use of a crack, expect an email from the author. Saw a report on Zor's news that the author emailed a keygen user knowing it was used. - (*) HistoryKill 99 Pops a warning about sending mail to the author when using a bad serial#, have seen one report of it doing system damage. - HoneyQ v1.50, not all serials seem to enable the use of video, if video gets disabled after registering then this is why. - HotDog Uses server authentication to confirm the users registration. - Htmasc32 v3.03.22 uses a blacklist for pirate serials, will randomly popup a bogus program error on detecting a blacklisted serial. - HTML (Un)Compress Uses blacklist for pirate serials. - Intermute Uses server authentication to confirm the users registration. This may have been removed since v1.40. v1.50 has been reported as clean.

- KeyText Most older serial/keygens (v1.1x) were not 100%, prog ended up still limited, more recent serial#s might be fine. - Kyodai Mahjongg Be careful using old keygens & serials, has been reported to do nasty things. - Lightspeed Products - (Rocket, WebConvert Pro) Rocket maybe others phones home and reports the use of a crack, expect an email from the author. - LinkBot v5.0, Phones home. - Liquid FX Takes your browser to a 'gotcha' page on detecting a blacklisted name/serial. - Lockdown2000 Have seen very conflicting reports about the effectiveness of this, also seen mention that although it claims to be, it is not a firewall. Repeatedly updated by authors to overcome new cracks, seemingly very little time spent updating functionality. Be careful trusting your system security on this, do some testing and you decide. Some interesting test results to consider http://www.primenet.com/~lippard/pchelp/LDtest.htm - (*) LviewPro v2.8, you can't enter a serial in the demo from the website, a patch is required. - Magic Folders Deletes it will It also of just the illegal registration file and warns that if you use it again, uninstall and you won't "ever" be able to install it again. states something about being able to delete the whole hard drive instead one file. Last cracked version was a looooong time ago.

- Multimedia Builder v4.5, try CORE's older keygen putting in an email address as the username to generate the key, eg. me@you.com. - Nero v4.?? accepts serial number Doesn't cause everytime you an invalid serial for a while, at a later time tells you that the you are using has been pirated. any system damage, but it will ask you for a correct serial number load it up until you give it a valid one.

- Net Detective 2000 Does nothing more than a few good search engines can do.

- Netinfo Will contact it's home server upon startup or some network event even after being registered. - NewsRover Since v3.8(?) name/serial is at least triple check, when first entered, when retrieving newsgroup headers, and uses server authentication. If the second check fails it will delete the data files from it's directory. - Norton Antivirus 2000 Has been reported that if you've used a cracked dll on the demo, when you update the virus definitions you will get a message that says you need to download a patch. If you say yes and download the patch it will replace the "fixed" dll and set the attribute to read only, making it difficult to "tamper with" again. - Offline Explorer Contains a blacklist of usernames. - Oil Change Uses server authentication to confirm the users registration, it's the Oil Change server that provides the list of updates. - Personal Stock Monitor Will contact it's home server upon startup or some network event even after being registered. . - Quake 3 The newly released full version uses server authentication to allow you to play online, either buy it or find yourself a cracked SERVER to play on. - RankHigher Quoted from website - 'A note to Crackers, Hackers and thieves: we are NOT responsible for what this program does when using a cracked version, stolen registration code or reg code generators! You've been warned...!'. - RealNetworks is watching you http://www5.zdnet.com/zdnn/stories/news/0,4586,2385034,00.html?chkpt=zdhpnews01 - RealPlayer v6 update check triggers blacklisted serial nag. v7.0 includes a prog called Comet Cursors which has recently been revealed to send out info on your browsing habits. - Restorator v2.50 bld 757, Aparently there is only ONE 100% cracks for this, all others will trigger the prog to delete itself.

- SmartDraw v4.22, to get another 30 days on the trial version..., might only work once tho. Goto 'help' menu, click 'about', the 'about' box pops up, hold down Ctrl+Shift and click the 'ok' button. - Starcraft's Battlenet Collects data about you and sends to server. - Time & Chaos v5.xx maybe later, blacklist for pirate serials, on detecting pirate serial locks the data files, prog may not run again. - Timeworks DirectX Plugins Demos can detect if you've used a cracked version before, threatens to erase C: drive, seems to just be a scare tactic. - ToDo'95 v4.14 maybe others, If the program is used beyond the 30 day evaluation period, the author issues a "Doomsday warning". The message warns that the user must uninstall the program immediately or the program will delete the host computer Windows directory. The code for a DELTREE command on the host Windows directory has been found within the executable. - Total Recorder v2.1 maybe others, v1.0 is ok, Seems to be a long standing often missed trick, after 64 seconds a spoiler signal is inserted into the output file. - Tracking the Eye Uses server authentication to confirm the users registration. - TranSoft - (MailControl & others) Contacts it's home server and checks your registration data against a few lists. (http://www.transsoft.com/codes/) One list is 'legal' usernames, other is 'illegal'. Names on the Illegal list include - William McCurdy, Nambulu, forcekill, MONTILLO, Montillo, Norway, SiraX/[DNG], CORE/JES, Bracco, Nambulu/Survivors, BABYNET, SiraX/CORE, QuQ [FACTOR], Black Thorne [PC'98], Phrozen Crew '98, SiraX/[CORE]-1998, TransSoft, mRFANATIc [D4C], JellyTop, astaga [D4C], C4A Team, Doug Mchugh, Karl Kachigan, Master Computer. - Tweaki for Power Users Serial is date dependant. Pops a warning message on bad serial. If you get this try going to \HKEY_LOCAL_MACHINE\Software\Tweaki\ Find the 'RegName' key and change SPRITEX to SPRITEY. Also reported to detect an old cracked version, pop nasty messages and stop working. Clean the old registry entries and also search for 'jermar','tweaki', and 'twk', new version will then install without probs.

- WebForms In one version of it, the author had code to delete x:\windows\system\*.dll, and in another he deleted x:\command.com, then displayed a goofy message. There is a modified keymaker that gets posted now and again. It still works, last time it was checked. Has been advised against using it on a version above 2.5d, however. - Wetsock 4 Will contact it's home server upon startup or some network event even after being registered. . - Where Is It? Locks catalogs if blacklisted name/serial is used, due to continual updating (to overcome the cracks) it's hard to find a correct version and matching keygen. Core's v2.11 (2.1.1.1003) release of the app & keygen is known to be good. When this happens in v2.12 it locks the catalog and overwrites the catalog name with 'warez user'. I have some info on fixing this. It get's worse as of v2.14, it doesn't lock the catalog but overwrites all titles, folders, and file names in the catalog with 'warez user'. If you get stuck in the 'warez user' trap do NOT save the catalog, if it happens during updating the original catalog will be ok. Have used v2.14 for awhile and eventually got trapped., seemed to be after running it while online but could not catch it in the act. To Robert's credit the protection scheme is very good, no doubt using multiple triggers, timers and delays before the 'problems' start appearing. - WinDownload Pre v4.x, formatted hard drive, shut down windows when using blacklisted name/serial, conflicting report that it only deletes the Program Files directory. - Windows 2000 You must TYPE the serial number, not copy/paste, when installing. - Winproxy by Ositis v3.0, uses server authentication and/or a blacklist, on detecting a bad serial w ill pop 'gotcha' type messages. - WinRAR v2.60, the authenticity verification feature doesn't seem to work 100% on any cracked version. - WinRescue98 v4.11, Be very carefull with this. An abc regular reported that this deleted his windows directory twice in a row on dec12. It had been running fine for many months on the 'christa' serial until that date. - WinRoute

When entering the serial make sure the letters (a-z) are in UPPER case. The first time you login to the Adminstration Tool, leave the username as set (Admin) and leave the password blank. - Wolf products by Trellian Pops warnings when using blacklisted name/serial. - Zmud Uses server authentication to confirm the users registration. ==================================================================== Fixes and Misc Info Be careful when using any built-in update features in many progs. As well as providing updates it could also be checking your registration. Common problems after updating include Prog will revert to unregistered state. Prog then refuses to accept old serial. Prog refuses to run. Prog refuses to re-install. Server authentication is when the prog checks the entered registration info against a database on the authors server. When a prog 'phones home' it is communicating with the authors server. It might be part of the server authentication or it could be allerting the author to a crack user, yet it could be part of how the prog works. Due to the intended use of these progs online there isn't much you can do. Try running a firewall to monitor and block any attempts to communicate with a prog's home server. AtGuard, Conseal PC Firewall and Guard Dog are a few firewalls to try, which monitor incoming and outgoing traffic. You might also like to check out ZoneAlarm v2.x, which now adds monitoring of incoming aswell as outgoing traffic, and it's FREE. http://www.zonelabs.com/zonealarmnews.htm AtGuard and ZoneAlarm run quite happily together although there is no real need to run a bunch of these things at the same time. As an all round system or otherwise helper, create an image of your windows partition using Ghost or Drive Image Pro. The image obviously needs to be created BEFORE you make any major system/software changes. Another option is to use one of the many progs that monitor changes on your HD and in the OS. These compare a before and after snapshot and report the differences. Some to try are 'Inctrl' from ZDNet, 'CleanSweep', an oldie but a goodie called 'InWatch'. 'The Best' program for you, of any type, is one that YOU have researched, found and tested yourself. ==================================================================== The moral of the story The effects of the programs listed above varies from simple annoyance to out and out disaster for the end user. One word: BACKUP

If there is data on your computer that you just can't afford to lose then back it up! Two words: VIRUS SCAN Scan each and every file that comes onto your system with at least two scanners if not more. If something looks too good to be true, then it probably is. Learn and use a Hex Editor, very handy for spotting trojan code that virus scanners don't see. Be calm and sensible when using cracks of any kind, and the software involved. The next executable file you run could toast your system, remember that and be careful. ==================================================================== The information above has come from various sources, some from me and alot from many other people. Sources included newsgroup postings, crack/warez releases, Zor's page and the kind people who contact me directly. To one and all, thanks for your 'heads up' information. ==================================================================== This document as a compilation of data remains the copyright of LeoGetz. All other copyrights are held by their respective owners. ==================================================================== LeoGetz "Check your corners people!" http://www.angelfire.com/ok3/LeoGetz2/index2.html (CrackFaq, some downloads, some info on 'stuff') Thanks to all the good people here and there.