Just after 6:00 a.m. Pacific time, we took the affected servers offline to neutralize the threat. Our servers are now back online and functioning normally.
We take the security of our systems and the safety of our users very seriously. We sincerely apologize to any users who were affected.
Clarification: This only affects users who downloaded software specifically from utorrent.com or bittorrent.com between the hours above this morning. Users who previously downloaded our software are not affected.
Update #2: After further analysis, we don’t believe BitTorrent.com or the BitTorrent Mainline/Chrysalis clients were part of the incident.
Update #3: File Removal Instructions
This particular piece of malware renames itself as a different .exe file every time it installs on a new machine. Therefore, first you need to determine the file name. To do this, visit the following File Directory on your Windows hard drive:
Windows XP: Click Start, click Run, and then type in “%USERPROFILE%Local SettingsApplication Data” without the quotes. The file will be called [random].exe
Windows Vista and Windows 7: Click Start, in the search box type in “%localappdata%” without the quotes. The file will be called [random].exe.
To delete the file, first you need to make sure to kill the application first:
- Open your Task Manager (Control-Alt-Delete), select the [random].exe (the name you found in the file directory). Click “End Process” and select “Yes.”
- Next: select the file name (or right-click on the name) and hit Delete.
- Empty your trash.


A good reason to start signing software downloads with gpg
well, but then users would have to check the signature. and if more than 0.001% of all utorrent users do that, I’d be really surprised … . of course you’re right, signing would be the first step
How many times was ‘Security Shield’ downloaded between the mentioned hours?
About 28,000 users were affected.
I’ll assume the malware did not have the digital signature of Bittorrent Inc?
I got owned by this. Spybot search and destroy didn’t find it. Need to reboot in safe mode and delete the *.exe hiding in the usersyouappdata folder.
You realize you posted this story, with times, and no actual date?
I assume by the URL path that we’re talking about this incident happening on Sept 13, 2011? But come on!
how many downloads were there during that window.
Are you 100% sure this was the only time? I’ve had utorrent for a while and I had this same Security Shield malware hit me more then once.
Yes, we’ve never had this kind of attack before. It’s unlikely its the first time the hackers used this piece of malware though.
They should burn the people that do these things, you know? Stab them violently until they scream!
What a WISE Comment NOT!
Many software projects sign their projects with GPG keys for this reason.
How about the OS X version of µTorrent? Was it compromised as well?
No, Windows only – if downloaded between those two hours. Thanks!
Ya this compromised my computer alright I can’t even load my control panel to erase shit all! Thanks for paying for virus protection, everything is a scam now days
Why do we still need email adresses in webforms. It’s so 2005.
Why isn’t it clear in the article whether OSX is compromised as well.
OSX was not affected, only Windows. Thank you.
Yeah this got into my system 4 times yesterday , each time i installed utorrent ! hehehe Was easy to fix, just booted into safe mode and restored my computer to a earlier time and ran a virus scan ! No Biggy ! Them dang hackers ! ehhehee
was researching ledbat and noticed this news.
so what httpd do you guys use on the download site?
nginx?
publicfile? not.
how experienced are your admins with unix?
others could learn from the mistakes made.
seems many, many www admins are making the same old mistakes as we continue to see www servers get compromised.
anyway sorry to hear about this.
Were the automatic updates also affected?
No, auto updates weren’t affected. See reply above for more detail
uTorrent automatically connects and updates. Any such suto updates during those hours might have anything to do with that? I didn’t install though it has been running for last 16 days. Besides I didn’t fins that file.
No, auto-updates weren’t affected. As it turns out, that server was offline at that moment. Had it been on, there are measures in place that would have ensured your client would have rejected the new build as an update. Thanks for asking – good question.
People that bundle these fake virus programs into software downloads just to scare you into typing in your credit card info so they can steal your money are nothing less than cyber terrorists! Why doesn’t the government form a special task force to track and prosecute these people? You know they have the resources to do anything they want. But no, they are too busy worrying about who illegally downloaded a music album or movie without paying for it yet. News flash, these people aren’t hurting anybody, these other jerks are harming innocent peoples computers.
If it were up to me I’d string them all up in a crowded parking lot somewhere with signs tattooed across their chests and backs saying “I hack computers with fake antivirus software and steal credit card into. And just let the people throw rocks at them all day, then I’d tie their legs to the back of bus and drive them down the highway at 80 miles and hour until there is nothing left but a bloody rope! That’s what these criminals deserve!
Actually, the Stuxnet virus is a sign of cyber-terrorism. It can mess up PLCs and that can lead to physical damage in the real world. But I see what you’re saying
Not able to download from any of the bandwidth servers, it says HTTP 404 error
it is a very good software our pc it provides more security more than other softwares.
Will you care to explain the details of the hack ?
I have 2 issues. First, I haven’t gotten my validation email for the forums, although I’ve checked my inbox and spam inbox, and I’ve resent the validation email. And secondly, I just downloaded BitTorrent for Mac, and when I open a torrent that has multiple files, it just automatically starts to download the entire torrent, instead of allowing me to select the files that I want from the torrent.
if you build it, they will come…..
Luke, I am your father
It happens, Nothing to worry.. if we would have not fall in trouble then this process of learning may stop.. these problems may help us in learning more and more..
i just helped a friend in removing this Security Shield fake antivirus.
I know someone who was affected by this.
Interesting, this site came up when I searched for “how to get rid of scareware” not what I’d expect, but your solutions worked, so it’s all good.
When removing viruses you should also search for the virus file name in windows search with “view hidden files” check to see if there are any hidden files that will reinstall when you restart your computer.
Do you have any idea of whom could posibly did that?
someone there can help me?
I’m using bittorrent as a download manager, and I want that when a
download is complete, automatically move to the next download, until you finish the download list I put in bittorrent.
I appreciate it now.
Thanks guys for letting me know about this.
thanks for the warning.
I had the same problem, Spybot Search and Destroy didnt pick it up considering its one of the top malware softwares.
People that bundle these fake virus programs into software downloads just to scare you into typing in your credit card info so they can steal your money are nothing less than cyber terrorists! Why doesn’t the government form a special task force to track and prosecute these people? You know they have the resources to do anything they want. But no, they are too busy worrying about who illegally downloaded a music album or movie without paying for it yet. News flash, these people aren’t hurting anybody, these other jerks are harming innocent peoples computers.
How about the OS X version of µTorrent? Was it compromised as well?
Thank you for the help, I followed your File Removal Instructions with Windows 7, and it worked fine.
Security Guards London