Am I about to download a virus? (Part 2)

In Part 1 we learned a bit about file extensions and how to judge things we download. We learned that data files are generally safe, but executable files (programs) may be a danger.

In this part we look at how to examine potentially dangerous files and assess the risk.

Let’s say we fancy a new screensaver. So I google “screensavers” and come up with this:

Googling for screensavers
Googling for screensavers

Plenty to choose from there, all of them seem to be free.

I’ll avoid the adverts and choose the first “proper” search results, which takes me here:

screensaver.com
screensaver.com

Looks OK, so let’s click on that “Download” button:

Do I want to download this?
Do I want to download this?

Well, that wants permission to download something called livingdread.exe – sounds like a plausible name for a Halloween screensaver, but the extension is .exe, which we know from Part 1 is a program. I just want a screensaver, not a program, so that makes me a bid dubious. So I download it (“Save” it) but I’m not going to run it yet because I’m not sure what it might do to my PC.

Now I go to a very useful site called virustotal.com – it looks like this:

https://www.virustotal.com
https://www.virustotal.com

I click on “Choose File”, navigate to the livingdread.exe file on my PC and click “Scan it!”.  Virustotal then uploads livingdread from my PC and scans it with about fifty anti-virus products. Here’s what I get:

Start of the Virustotal results
Start of the Virustotal results

The whole screen (not shown here) tells me that it scanned livingdread.exe with 54 anti-virus products, and 21 of them didn’t like the look of it. Some of them say it’s a “PUP” (that’s a “Potentially Unwanted Product”) or that it would put ads on my screen. Now maybe livingdread.exe warns me about that when (if) I run it, and I can untick a box if I don’t agree, but I’m not going to find out. I don’t fancy running livingdread.exe after all, so I delete it from my PC. No harm done.

To be fair to screensaver.com they do give you a clue. Right at the bottom of the home page, it says this:

The small print
The small print

Here it is a bit bigger (my emphasis):

“Screensaver.com is distributing modified installers which differ from the originals. The modified installers are compliant with the original software manufacturer’s policies and Terms of Service. InstallIQ™ is an install manager that will manage the installation of your selected software. In addition to managing the installation of your selected software, InstallIQ™ will make recommendations for additional free software that you may be interested in. Additional software may include toolbars, browser add-ons, game applications, anti-virus applications, and other types of applications. You are not required to install any additional software to receive your selected software. You can completely remove the program at any time in Windows’ Add/Remove Programs.”

And if I click on Terms of Service:

1. InstallX Install Manager. Your download and software installation may be managed by and InstallX installation manager (including, but not limited to InstallIQ): (i) downloads the files necessary to install your software; and (ii) scans your computer for specific files and registry settings to ensure software compatibility with your computer system and other software installed on your computer. We may show you one or more partner software offers. You are not required to accept a software offer to receive your download. Offers may include, but are not limited to: (i) changing your browser’s homepage; (ii) changing your default search provider; and (iii) installing icons on your computer’s desktop, including third-party software offers. The content and/or Offers may be supported by advertising.

2. KeepMySettingsX. KeepMySettingsX is a separate application that is installed with another software application (such as a browser toolbar) or at the time you change a setting on your computer (such as your default search provider) (this third party software and/or settings are together or individually, a “Protected Setting”). KeepMySettingsX is designed to monitor Protected Settings and may alert you if another program or third party is attempting to change a Protected Setting. KeepMySettingsX may only be compatible with the Protected Settings with which it was installed and such compatibility may change at any time at the sole discretion of InstallX with or without notice to you. If one of the Protected Settings is no longer supported, you hereby authorize InstallX to change your settings to another Protected Setting that is currently supported. If your computer system does not already have the software application to support the new Protected Setting, you consent that we may install software upon notice to you. You can access the KeepMySettingsX control panel by clicking an icon in the Windows notification tray. If your computer is connected to the internet, KeepMySettingsX may automatically download and update itself to the latest version.

3. FileWhiz. FileWhiz contains certain third-party free/libre/open-source software (“FLOSS”) components which are governed by their respective licenses, and not this Agreement. A list of FLOSS components and their respective licenses is listed here. By downloading or using FileWhiz in any way, you are accepting and agreeing to be bound by all licenses specified here, in their entirety.

4. Delivery of Advertising. By accessing the Sites or downloading the Content, you hereby grant us permission to display promotional information, advertisements, and offers for third party products or services (collectively “Advertising”). The Advertising may include, without limitation, content, offers for products or services, data, links, articles, graphic or video messages, text, software, music, sound, graphics or other materials or services. The timing, frequency, placement and extent of the Advertising is determined in our sole discretion. You further grant us permission to collect and use certain aggregate information in accordance with our Privacy Policy.

5. MyFreeze Blog Posts. InstallX allows you to post links and a personalized message to your existing blog. You must comply with your blog provider’s terms and conditions. You further agree that your personalized message will not contain any material that: (i) is indecent, misleading, defamatory, libelous, obscene, pornographic, hate speech, infringing, or otherwise objectionable; (ii) violates the copyright, trademark or other intellectual property rights of any other person; or (iii) is libelous, or an invasion of privacy or publicity rights or any other third party rights. InstallX has no control over the material you post to your blog. Further, InstallX assumes no responsibility or liability for the material you post and no obligation to monitor your posts.”

So it’s all there – they give themselves the right to install lots of other software, show you “special offers”, change your computer’s settings (and use  KeepMySettingsX to stop you changing them back) and so on. The cynic might say that they choose fairly obscure language to explain this, and that the quality and trustworthiness of the extra programs (such as the “anti-virus applications“) is unknown.

Why do Google list them? Google requires such sites to have (on their home page) a suitable disclaimer, and to make clear in their terms what they are up to. Whether the disclaimers are clear enough, I leave you to decide.

In addition, screensaver.com would no doubt say that what they do is not illegal, that they are offering a useful service, that the additional programs they install are “carefully selected”, and so on. The problem is that screensaver.com installs extra programs that themselves then install extra programs, which may themselves then install extra programs! By the time you get to the end of the chain, no-one takes responsibility.

OK, let’s go back to Google:

Googling for screensavers
Googling for screensavers

What about those images at the top of the search results? Exploring those takes me to reallyslick.com which seems to have some nice screensavers, and from where I can download ReallySlickScreensavers-0.2.zip. Now, I know a zip file is just a container for other files, so I double-click on it and can see it contains a bunch of .scr files.

Inside the zip file
Inside the zip file

Now, that file type (.scr) wasn’t mentioned in my last post as a safe type, so I have to assume it could be dangerous. Googling a bit tells me that Windows screensavers do use the .scr extension, but that screensavers are themselves a type of programs and sometimes used by malware. So off to Viristotal again, and this is the result I get for ReallySlickScreensavers-0.2.zip:

Looks like it's probably safe.
Looks like it’s probably safe.

This looks much better – 54 out of 54 anti-virus products (including some well-known and reputable ones such as Kaspersky) apparently find nothing wrong with it. Of course, Virustotal may themselves be dodgy and might be lying to me (it pays to be paranoid) but it’s encouraging. So finally, I decide to wait a few days before installing ReallySlickScreensavers-0.2.zip (just in case it contains a new virus and the anti-virus products haven’t caught up with it yet) and I’ll scan it again at Virustotal in about a week or so and then decide. I don’t really need a screensaver after all, so if they can be dangerous, perhaps I should limit myself to the ones that Microsoft provide with Windows, or do without one completely!

I hope that gives you an insight into how careful you need to be when downloading things from unknown sites. I make my living by taking off malware from people’s PCs, but better to avoid the problem in the first place than to pay someone like me to sorts things out if you fall for one of the malware authors’ devious tricks.

Be suspicious when downloading!