One particular release of the commercial product Firehand Ember v5.2.3 by Firehand Technologies Corporation
contains built-in functionality that may cause data corruption.
If you register your copy of the Firehand Ember product by entering the string "czy czy" in the "Registered User ID" field, as shown here:
the program's payload will do the following:
It enumerates all of the files on a Windows installation partition (by default, it is C:\) and rewrite the first bytes of every file with the following string:
CzY CrAcKiNg CrUe! We CrACk EvErYtHiNg!
This will lead to total data corruption. When the payload performs its actions, you see the following string in a dialog box:
CrAcKiNg SoFtWaRe! PlEaSe WaIt!
An example of this is shown here. Many items are not displayed correctly due to the data corruption that was caused by the Trojan.
The Firehand Ember v5.2.3 program contains a hard-coded list of banned users to which this software cannot be registered. This was implemented to avoid registration of serial numbers that were leaked to the Internet. The "czy czy" account is also in the list of the banned accounts. However, for this particular account the software triggered its built-in destructive payload, which was implemented by someone who did have or currently has access to the source code of this software. This might be a former or present employee of Firehand Technologies Corporation
The current version of the software contains no destructive payload since the "czy czy" account has been transferred into the list of the banned accounts with no destructive payload.
Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":