Jump to content

Infected Software Being Sold on Ebay


Recommended Posts

Hello, I recently purchased a DVD from eBay containing Hirens Boot Disk from a seller. Today I happened to run a virus scan while the disk was in my drive so it also scanned the disk and found a virus called Win32/Triggre!rfn which I found out can give hackers remote access and hijacks pc's for cryptocurrency mining. Before I bought the disk my pc was already acting strange so I thought I had a virus at that time even though no anti-virus software could find anything. I am trying decide if I should contact eBay and report this seller but I need to be absolutely sure the virus was already on the disk. This is where I need help. I know it's possible for viruses to copy themselves to any media so is it possible that I already had the virus and it copied itself on to the disk during one of the many times it was in my DVD RW drive? I cannot tell if the disk is rewritable or not, is there a way to tell? I've also read that it may even be possible for non RW disks to be written to more than once like +R and -R so is that also possible? I would really appreciate any help and advice on what to do. If this eBay seller is selling and scamming people with infected software, he needs to be stopped and held accountable and I don't want anyone else make the same mistake I did to buy these disks.  Looks like he has sold a lot of disks already.

Link to post
Share on other sites

Hello @Cygnus and :welcome:

I stand neutral in regards to the offerings on eBay as well as any of Hiren's editions.  One of the first and most responsible actions is to perform a thorough fact check:

  1. Please quote the eBay URL link that points to the item that you purchased.  Please obfuscate as "hxxp" for the protection of other viewers. Report to eBay?
  2. Even if the eBay offering is still active, please report the precise Hiren's edition with high accuracy and completeness.
  3. Please report your AV/AM application name/version that raised your suspicion.  Strictly technical, the detection is likely not a virus but possibly a Trojan.
  4. Please report the suspected filename of the executable within the Hiren release. This will be used to begin an analysis with VirusTotal and similar.
  5. Please verify the malware identification as great doubt exists regarding the correct spelling.

Thank you, Cygnus.

Доверя́й, но проверя́й   -Russian proverb

Link to post
Share on other sites

Hi, thanks for the speedy responses. I re scanned the entire disk since last time I ejected it as soon as I saw the alert and this is what was found.
Trojan:Win32/Tiggre!rfn (The "r" was a typo)
Location:
D:\HBCD\Programs\Files\win7PExtras.7z
HackTool:Win32/Keygen
Location:
D:HBCD\Programs\Files\Windows7Loader. 7z
HackTool:Win32/Wpakill.B
Location:D:\HBCD\Programs\Files\REMOVEWAT.7z

Windows Defender is what detected it which I find funny cause I've never seen it detect anything before. As far as version, it's not the latest. It's a fresh reinstall on a newer pc I built using an older Windows version 10.0.18362 installer disk. I hadn't even connected to my network yet to update since reinstall.
The disk he sold me is Version 15.2 Edition 1.1.  Maybe false positives since HBCD does have some hacking type tools in it and I am using outdated Anti-virus version? However, I also have another copy of the same version that I burned myself later using the ISO I downloaded straight from official website and neither of these three files exist. I double checked myself, comparing the two disks. I also scanned the disk I burned myself and Defender didn't detect anything.
He has ended the exact listing of the disk I bought so the link no longer exists but he's relisted what looks like the same exact disk in a new listing. The label looks exactly the same. When I go to my purchases in eBay the one I bought is grayed out. Here's the link to the current listing.

hxxps://www.ebay.com/itm/HIRENS-ULTIMATE-BOOT-DISK-WINDOWS-7-XP-8-10-OR-LINUX-NEARLY-3GB-REPAIR-TOOLS-/173572345985?nav=SEARCH

I can also provide a screenshot of it in my eBay purchases proving I purchased it if needed. He sells lots of software including some related to hacking I noticed.

I don't want to notify eBay until I know for sure that my suspicion is confirmed. This is why I'm asking for your help first as I'm far from an expert. Also this way I have some backup so eBay doesn't just dismiss me as some nutcase. Any other information you need, just let me know and I'll provide all that I can. If I am right, I want to nail this jerk for it. Selling software with hidden cryptocurrency trojans is a real scumbag thing to do. I wonder how much Bitcoin he's made off all the pc's he's enslaved.

Link to post
Share on other sites

  • Staff

I don't know about the Trojan detection, but the other two are just hacktool detections which means riskware, not actual malware.  The difference is that riskware is powerful software that could be used maliciously by a malicious actor such as a hacker or malware developer but could also be perfectly innocent (things like Sysinternals tools from Microsoft, some of the tools from Nirsoft/Nir Sofer that can be used to pull passwords etc.).  Such tools are not inherently dangerous on their own, but could be dangerous if used maliciously so anti-malware apps will often detect them to be safe, so if you know where the tool came from and why it is there then you can ignore the detection.  The Trojan detection might be an FP or it could be a legit detection.  If it is legit, then yes the disc contains malware and should not be used.

Link to post
Share on other sites

Hello @Cygnus:

If you have the technical ability to safely extract the D:\HBCD\Programs\Files\win7PExtras.7z file, please upload it to, and perform a default FILE analysis with, VirusTotal

Then, compare the result for a perfect match to the following previous analysis:

https://www.virustotal.com/gui/file/8e198670e91e4090cf2059c8451582cf7b957e9cba95591dceaab006138e73a7/details

https://f.virscan.org/win7PExtras.7z.html

No risk will be had if you do not extract that .7z archive file.  If you are not comfortable with the above,  the Windows Defender detected file is still likely an old Trojan and technically not a virus, but a Trojan is malware.

Thank you.

Edited by 1PW
Added a VirScan analysis
Link to post
Share on other sites

  • Staff
10 minutes ago, 1PW said:

I notice most of the detections for that VT entry are either heuristics (i.e. not a positive match to any known single piece of actual malware) and in one case shows it as a hacktool detection for a Nirsoft tool (PUA/PUP detection of a potentially risky executable, not actual malware) so it may in fact be the same as the other two PUP/riskware/hacktool detections and could be benign.  I would suggest getting an analysis from an actual malware researcher to determine if the files/archive are real threats or not.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.