Interesting example of file sharing malware

File sharing networks are among the largest sources of malware infections. I guess it’s not news to you. Lots of trojans and worms create infected files in shared folders of installed peer-to-peer applications. That’s how a plague spreads over the Internet. You search for a “cracked” version of some software, but often get malware instead.

Experienced file sharing fans know how to avoid downloading malware. In most cases they can say for sure, which files in a search report look safe, and which seem to be infected. However, even they cannot guarantee that downloaded software isn’t corrupt and works as intended. Audio and video files are just the same. You cannot be absolutely sure which song or movie you’ve downloaded until you open and play it.

That’s the major problem of file sharing. Although it’s really useful, it isn’t safe at all. Malware pushers understood it years ago, and now entire networks such as LimeWire are loaded with all kinds of threats.

But this time it’s not the notorious LimeWire I want to speak about. It’s eMule, one of the most popular and relatively safe peer-to-peer clients. eMule connects to the good old eDonkey network.

Strange search results. Part 1

It all started a few months ago when I used eMule to search for some document. As always, I launched the program, connected to a network and typed document name into the search field. Usually, search results appear immediately and the list of matches continues growing until the search is finally over (a progress bar indicates it). But that wasn’t the case. The search was almost over, but the list of Search Results was still empty. That could only mean that there were no such documents in the entire file sharing network.

“Well, you cannot find just everything in file sharing network”, I thought. But just then a few results appeared. I managed to find so needed and rare file! But then I took a closer look at the results, and I wasn’t so happy anymore. The filename was a complete copy of my search keywords, and the file itself had a different extension. It wasn’t a document, but an executable. Of course, I didn’t download it.

Back then I hadn’t a lot of time, and simply forgot about those strange search results. But I was pretty sure that files I found weren’t legit and safe.

Strange search results. Part 2

I didn’t use eMule for a few months until yesterday. This time I searched for something similar to new corrupt anti-spyware. Don’t ask me why, it’s just a part of my work. Once again I didn’t see any results while search was in progress. But just before it was over a few strange results have appeared. There were 4 files – three Zip archives and one executable. Each of them had search keywords as their names.

This could be a coincidence, so I decided to make a few more searches that usually won’t return any results at all. The search strings were: “2spywaretestemule”, “we search for p2p malware”, and “this is just a test by 2spyware”. I doubt that someone from all those eDonkey users have something like this. Nevertheless, I got the results.

Same four files in each search report! Three Zip archives and one executable. Take a look at their names. They are almost the same as my search strings.

At this time I was pretty sure that I’m dealing with some kind of malware. I made more searches with keywords of different form and even languages, but I still could get odd results.

What’s inside?

Being a curious person, I couldn’t keep myself from downloading strange files. Executables had icons similar to those setup files use. Furthermore, they looked like installers for BitTorrent downloader, whatever that means.

Zip files were normal archives containing the Multi_Media and Online_TV executables, which seemed to be the installers for the Multi Media Toolbar and the Online TV Toolbar from PlatformaOnline Ltd. and Conduit Ltd. respectively. At least file details said so.

I scanned all the files I downloaded with my current antivirus and anti-spyware, but my security suite didn’t find any pests. That was strange too. However, I gave it another try and uploaded the files to VirusTotal, a free service for scanning suspicious files using multiple antivirus engines. Results were a bit different this time.

The executables I downloaded appeared to be downloader trojans with the common aliases of Trojon.Dropper-322 and

The executables within Zip archives appeared to be not infected. However, I wouldn’t describe them as safe. Both install advertising-supported Internet Explorer toolbars with possible hijack functionality. Right after you install them you get pop-ups and noticeable system slowdowns.

Who’s responsible?

Of course, it would be interesting to know, who or what spreads file sharing malware. I’m not speaking about typical worms that simply drop files with meaningful names to shared folders on compromised computers. The answer is clear. What I want to find out is what kind of software can intercept user search keywords and give back generated results. I didn’t see anything like that in peer-to-peer networks before.

What’s this? A new kind of sophisticated worm or has it something to do with eD2k server configuration? Or maybe my test computer is infected with something that neither my security suite nor numerous online scanners can find? Why I don’t get same results while searching in alternative eDonkey network clients like aMule? That’s a mystery to me right now.

I must confess I don’t have all the technical knowledge of file sharing. Moreover, a thorough research requires a lot of time. While it’s a big problem for me right now, I plan to come back to this issue as soon as possible. I hope to do this in my feature posts here, on

If you have any thoughts about these or any other interesting examples of file sharing malware, please leave your comments here. You can also discuss this write-up on our forum.

To be continued…

GTO, forum moderator

  • Server Emule 2011


    P2P applications in recent years have become a base for developing new business ideas that allow users to meet each other on the Internet and share common interests.


  • Server Emule 2011


    P2P applications have become very popular with domestic users as it allows seamless integration of applications with computers of different configurations without the need for special server devices.


  • bob betts

    For me it has gotten to the point that Emule is worthless. I got a huge list of possibles in a search for a rather unique program. I downloaded the ones that seemed most likely, checked for virus and then installed. All I got was taken to a web page and a crapload of advertising programs installed on my computer. Now I’m working on getting them off and I vow I’ll never use Emule again.

  • Scott

    Yes I know about this.

    I asked about it in the emule forums and they don’t seem bothered by it which is stupid really when you think about it, this can only damage a peer network like that.

    Limewire is another problem, this like Bit Torrent has been used to plant trojans on my computer. The number of times I have returned to my computer to find it off line and virus riddled is mind boggling.

    I complained to BT and I didn’t get a nice reply from FRION the administrator.

    Azeurus now called Vuse is another trojan carrier.

    Some of these p2p networks are plagued with issues that the programmers and developers do not seem bothered by and have no inclination to rectify the issue, I proposed a very simple double blind system to negate these types of search results in emule. All I got in return was told that it is impossible to deal with despite the fact that all they sould need to do is have the emule client after start up and at random periods do a background search for a bogus file.

    They responded with “How do you search for a bogus file them…? It is not practical and not easily implemented”

    I beg to differ.

    1. on load and connect to the network, you gather 3 or 4 packets from neighboring clients.
    2. search for a file, take a file for example if you had this file to download “Stargate Atlantis – The Grapes of wrath pt3a – S02E10.avi” which could be jumbled into another name and append something random like Grapes of Stargate – wrath pt3 – SO2aE10.avi”.
    if the search returns results, then these IP addresses gleamed are bogus & would be put into an active pool of bad IP addresses and the new IP address if any are passed back to the neighbors that provided part of your list of bad IP addresses AND to the server hub that your connected to with the search string your client used.
    This would propagate quickly through the network if each emule client passes to all those connected to it the additional data.
    3. When it is apparent that these IP addresses are bad, the emule servers get updated and those clients are locked out of the network.

    Simple way of dealing with *ankers who push this crap on to unsuspecting people.

    emule were not interested in implementing this easy method of assuring network stability.

    BT, don’t get me started with that one, I could write a book on how exploitable BT clients are, does not matter if your firewall ed, all it takes is this chink in your armor and they get in as BT has exploitable functions and is no way secure.

    Limewire is an example of how BT network is rife with viruses and how insecure the BT protocol is.

  • Mark Giblin

    Not unusual, I raised this issue with the emule comminuty some 5 years ago and it fell on deaf ears. I tried to illustrat this by posting an image of results in a search for this string.

    This is not a real file it is totally bogus and a fake that is generated on the fly.

    Want trajans and malware installs, try Bit Torrent. I have been hit several times, hacked and had viruses planted as well as my network dynamics altered by this program.

    I had to hard set my IP addresses for machines running BT as it would change from the DHCP allocated to a 169.* address range.

    The problem with p2p networks is most are that they rely on connecting to someone or remote computers.

    This means that the only logical conclusion is that some of these hubs i nthe p2p network are being run with modified code and or clients to assist in this problem of bogus return.

    Packaging up of viruses on the fly is not an issue, a simple generic name that is renamed or uploaded under a spoof name.

    Like I said, I have tackled this directly with eMule, I got laughed at and Banned form the forum
    I tackled BT forum @ FIRON the admin banned me.

    What happend, did I hit a raw nerve? I think I did and those two networks tried to stop me from brigning this issue to the public attention. Why it has taken so long I do not know but I am glad that the truth is finally coming out.

    Thank you for being a fellow observer.


  • dawn

    What a interesting and important alert!
    I was looking for a software for an brazilian eMule user, and my search acted exactly in the same way as your description. As my curiosity is bigger than my caution, I decided to download the small exe file (the rest was too big for me, as I said, it was for another user, not for me). As soon as the DLwas complete, I scanned the file with my antivirus (Active Virus Shield, a free version of Kaspersky) and it DIDN’T find any harm. So, I decided to execute it to see that is supposedly an installer for a bittorrent client. Surely I aborted the installation. Well, after 12 hours, in an automatic scan mode, my antivirus found that trojan of which name I never heard about. Their virus list has no description either. It was google that let me find this report.

    I saw in search window that there were about 790 users sharing the exe file, but only one user sharing the ISO and rar file with the original file name I typed, and there were 4 files in the total as well.

    I’m eMule user for years now, and never had downloaded any kind of malwares from eD network before. So I’m guessing it’s very new process, and this alert should be spread in the eMule forum!

    Kind regards from Brazil

  • kurt wismer

    i suspect what you’re witnessing are malicious nodes on the p2p network deliberately designed to spread malware…

    if it were self-replicating malware that affected existing legitimate p2p clients then you’d expect to see much larger result sets to your test queries…