This is a trojan program that is built into the “Firehand Ember Millenium”
The trojan was found in version “18.104.22.168” of this software, in beginning of September 2002. The trojan was found in original “Firehand Ember” package, and it was available for download at Firehand Web site: http://www.firehand.com/Ember/index.html.
Next week after the trojan was found, the trojan package was removed from download area and replaced with another “22.214.171.124” version where trojan components were removed.
The trojan components were found in two files in this package:
Ember32.exe - the main executable file fireutil.dll - program's library
On activating the trojan displays the message:
CrAcKiNg SoFtWaRe! PlEaSe WaIt!
Then it looks for all files on the drive where Windows is installed, and
CzY CrAcKiNg CrUe! We CrACk EvErYtHiNg!
The trojan is activated on entering registation data:
Registered User ID: [_________] Registration Key: [_________]
in case the “Registered User ID” field contains the “czy czy” string (any cased).