I downloaded Joshie on the Poser freebie page and it turns out to be an exe-file. I got suspicious and looked at it with a hex editor and found the name y3knetwork.com. At this web page they have a program called Y3K Remote Administration Tool Pro and Joshie.exe seems to be exactly that. When run it puts a program called server.exe in the Windows/System directory. I didn't allow it to access the internet (ZoneAlarm warned me) so I don't know what it does then. Quote from the y3knetwork web page: "What is Y3K Rat Pro? Y3K Remote Administration Tool Pro is a freeware product of Y3K Network, which give you the ability to control a remote or local computer system. For example, if you are at work, you can control your house' s computer system, so it is like you are at home, in front of the computer' s screen" Marianne

Wow...that sounds pretty horrible.

It's called a New Character for Vickie by Joshie..in case anyone starts looking for a character by that name. Thanks for the heads up Marianne

It's always a good idea to look at what is in the files before you install anything.... being a bit paranoid is a good thing.

bloody hell - what a nightmare!

I'm assuming you have emailed Renderosity about this and not just depending on them reading this thread...this is awful and thanks for the heads up!!

:( The ends that the sleeze bags will go to to try and install their scumware so they can get access to your computer, spy on you, infect you, etc. never ceases to amaze me. Thanks for the heads up...hopefully admins will have this trojan horse deleted quickly.

Damn, no one should be putting that stuff up here. But how many of us know enough about how to examine all these files. I surely don't. I did a search for Joshie and found 4 "hits." Three of them are blank, with no thumbnails. The current file remains. Has anyone alerted Admin? If this is indeed dangerous, it should be exterminated. I took a chance and looked at this file with Quickview Plus. Frankly what I saw scares the pants off me. I don't understand any of this, but I don't think it should be a part of a Poser character: "kernel32.dll Ordinal Function Name 0000 DeleteCriticalSection 0000 LeaveCriticalSection 0000 EnterCriticalSection 0000 InitializeCriticalSection 0000 VirtualFree 0000 VirtualAlloc"

I've stripped the file down and had a good look at the code. The damn thing sets up a listen server and potentially has the capability of relaying system data to the remote user. It even has a routine that logs and transmits any keypresses that you make, this also gives the remote user any passwords that you enter! My advice, don't dl it and if you have done DON'T try to install it. DELETE this file on sight. I've just alerted ClintH via IM as none of the forum mods is online at the moment. I'll keep you all posted if I hear any more.

I IMed Clint as well since I figured an "Admin-type" should be the one to deal with this. I haven't received a response yet, and am about to go offsite. I have faith in Clint though. He'll either deal with it or find someone who can.

I let Bushi know about this thread as well. Hopefully someone will get on and delete the file before someone installs it who hasn't read this thread. installs the damned thing

Just checked through the "who's logged in" section and can't find a single 'Rosity staff member! Let's just hope one of them logs on soon.

Interesting. It's probably an ill-minded individual trying to score3D warez by invading r'osity members' personal computers. -Adam

Could be the case, but consider the implication of keypress logging. Not only does the scumbag get to know details like logon passwords & what sites you're a member of, but they also get to see your creditcard details if you make any online purchases. Scary heh?

Hey there :) Head over to zonelabs.com and grab the free Zone Alarm. If you accidentaly run a progrma like this Zone Alarm (and some other liek systems) will put up a warning and let you know that soemthign is trying to be a "server" OR if something tries an outgoing connection. This gives you a good chance to tell that soemthing is wrong :)

OK, I've saved a copy of the DL and took a screen shot. The entry has been deleted. I'll get admin in on this and I hope get it sorted out without anyone getting do badly damaged.

According to the logs Bushi has just entered the building.......let's hope they read their IMs.

definately a good idea to check over any files you download, and have a firewall running as well as antivirus. I have uploaded a couple of .exe items, made with winrar 3.0 as most people don't ( or didn't ) have that new a version. included in description, seen before downloaded was that it was a self extracting rar archive. if you do put an exe up, at least letting people know in information about file lets them choose weather or not to download it.

Thanks Bushi :)

It looks like the file got zapped, so that's one less thing to worry about. Thanks for the heads up!

ZoneAlarm is great, but their latest version eats 9% of Windows resources on my machine with an Athlon 750 with 512 Meg of ram.

Thanks BUSHI S

just one question, did the person knowingly put the spyware into archive or did it do it itself? was there also the item mentioned in the thumbnail in the file?

Marianne, you're a hero. How many computers did you just save? A ton probably.

One good defence is to NEVER run an exe file from someone you don't know/trust. If you do, it's like handing over your computer and everything on it.

There were over a hundred downloads last I checked. I hope everyone is OK.

Thanks to Stormrage for giving us the heads up at the 3DCommune. We'll be watching for it over there too. 100 downloads? shakes head This is terrible. Thanks again for the heads up Marianne(And Stormrage) Tom 3DCommune Site Administrator

Hi folks. IF someone installed this and nothin on their system caught it. How would one know if one had it???

I mean if John Poser gets thing installed on his system, what does he have to do to be rid of it?? Is there anything he can search for??

LOL And yes Im writing cause I personally cant rememebr if Ive downloaded anything from this Joshie person/site/freak of nature.

Somebody is missing the boat. Here is a great idea for a summer horror movie... one that just about every viewer ought to empathize with. Remember how people stayed away from beaches after Jaws came out? ...even though sharks seldom swim in Lake Michigan? Instead of alligators being released into sewers to breed, or dragons released to toast a world, the hand of our destruction will be formless... but not voiceless. I can see it now: .EXE in huge letters on the screen, and Alan Rickman's voice saying, "you may think that it stands for executable, but have you never wondered what was the nature of The Executioner?

Thank for the warning! This is as serious as a heart attack. This very thing already did happen once to my computer not long ago. They even got controle of my internet account through my computer and used it maliciously. I wish hackers would stop this kind of crap.

Hi CDI, it's not a case of anything "catching" it. This isn't a virus, the simple act of running the damn thing is enough to do the damage. One way of checking would be to search for a file (probably kernel32.exe) that would be on drive C: in the Windows directory. A quick way of disabling this would be to rename it (eg Kernel32.old) so that the calling routine would't be able to find this particular component. Another way of checking the system would be to call up the task manager (ctrl-alt-del) and check the running processes to see if anything unexpected is running (eg anything with server in the title, or anything else that you believe shouldn't be running). You could also type msconfig from the START/RUN menu and check what items are scheduled to run on start-up. If any items there appear to be suspicious simply uncheck the box to stop them from staring up on the next reboot. This last method is not foolproof since some apps can reinitialise themselves to reconfigure the start-up files. If any of this is too techie then the next step is to get a suitably qualified person to help, as it is all too easy to inflict a large amount of damage on one's PC when delving into these areas. Hope that this has been of some help.

and what does the Executioner execute? or rather, Who? ~eg~ I can see it now, a shadow striking from out of nowhere, executing people's lives, killing off all data about them...leaving them with nothing...then as they get more and more desparate..removing them physically. the executioner is an unnatural force, that came out of the internet.

but renaming kernel32.exe will stop windows from running. that is the core of the windows gui

This little tid-bit raises a number of questions. Just wondering how the bad-guy finds the infected computers? 1) For a file like that to reach out and touch him, initiating contact from the infected side, does it not have to contain the contact info (IP# or somesuch) for the evil doer? (and if so, I presume some talented sleuth here will find it). 2)When Zone Alarm issues an alert that an app is trying to act as a server or even access the net, doesn't it also give the addy that the app is trying to reach? (I use ZA also, but just don't recall) 3) Or, would he have to go around randomly pinging computers until he gets a response from an infected host? Even if he logged IP numbers from the downloads, I would presume few of us have a static number. And, if this was done maliciously, is such an act legal (in the US)? I guess I just don't get it. Obviously no criminal mastermind at work here. Sounds like a very inefficient way to hack & too easy to get caught red-handed.

Nance, you are right, the person resposnable isn't very good at it. I can think of six ways off the top of my head to hide such a file and get it past a firewall. good thing I have no use for doing it huh? don't like windows, but I would rather shut m$ down than go after someone's pc, give people a better choice for an os than winblows and get the business away from M$ to shut them down, seems the best way to get rid of lousy gui to me.

I wonder if Joshie had the file posted on his own web space? Someone should contact the ISP and report this.

I don't know about the rest of you, but I trust Renderosity. I trust the people who upload freebies. I would have no reason to be paranoid about something downloaded from Free Stuff. There have even been some excellent freebies in the form of "exe" files. The Smiley character is an example. I didn't download the file in question because, frankly, the item description left much to be desired. I just figured the artist was new and didn't know a better way to offer the freebie. I do thank MarianneR for alerting us, and Bushi for acting so quickly.

"I can think of six ways off the top of my head to hide such a file and get it past a firewall." I would be pretty interested in those :) Of course getting a user to download it past an incomming firewall is trivial ... but get an outgoing connection past Zone Alarm or some of the others? That would be interesting. Of course, fooling the USER is easy enough... but getting it past the firewall on a properly set up windows box? That would be very interesting :) As for the connection issues... no, often a program like that is set to announce succesful infection at a neutral machine, usually an IRC channel someplace. The person who sent it out watches that channel and "harvests" the IP addresses of infected machines.

And, if this was done maliciously, is such an act legal (in the US)?< Nance, such an act is very much illegal, in fact it's a federal offence to "Knowingly or willingly send files known to contain malicious, damaging or destructive code." The fine is around $10k and up and loss of computer and a possible prison term. > give people a better choice for an os than winblows< Jaqui, that narrows the field down to Mac OSX and some varient of Linux, both of them are more stable and, at least on the mac side, (no exp with Linux so don't know its security) are much more secure than anything from micro$haft. The words 'Microsoft' and 'Security' cannot be mentioned without 'problems', 'hole', or 'warning' being mentioned somewhere nearby. --- MS Windows: the only commercially succesful virus

MS Windows: the only commercially succesful virus< Unix was chock full of security holes for decades. It's just had more time to close them up. The problem with Windows isn't Windows the OS. It's Outlook Express and MS deciding that email should be in html format, displayed by IE, and running every type of scripting on the planet. That has become the main target. Viruses and trojans attached to files is as old as computers and no OS is immune.

Much better to use only .zip files. So much safer.

soulhuntre, sorry, but I'm not involved at all in hacking into other people's computers, nor will I ever teach someone how to do so.

jaqui, the file you're thinking of is kernel32.dll not .exe I don't have a kernel32.exe file anywhere on my computer. You're right about the kernel32.dll being necessary tho. Kate

The writing is on the wall, and one day we will all have to read it, whether we like what it says or not - and what it says is: L I N U X

Katetheshrew, yup fingered that out already. ~g~ Phantast, I read it a long time ago, run linux already. ~L~

Jaqui apart from being immune to most virii at the moment, what's so great about Linux? I'm thinking about sometime in the future swapping from Winblows but I need to know it's going to be worth it :) Rob

If Linux wasn't free would you still say it's better than windows? Just wondering. Marque

Marianne what is the name of the file itself? Doubt if I downloaded it but you just never know. Marque

"I trust Renderosity. I trust the people who upload freebies." Agree with that, for the most part. But, if 'rosity has 15,000 active members, and only a tenth of a percent are "less than honorable," that's still 15 people. I'd never download an executable file unless I knew: 1) the person was trustworthy (let's say they've posted other freebies, they're active in the forums, etc.) and 2) they take reasonable care to prevent viruses themselves (most malicious files are spread through carelessness.)

Well I do keep Norton Antivirus AutoProtect active at all times. NAV even scans incoming and outgoing emails.

Please. What was the name of the file. I would like to check to see if I downloaded it??? Thanks....

it was just called "a new character for Vickie" by joshie, luckily for me I didn't download it, I had a funny feeling about it. Rob