I'm sorry, but I think it's very unlikely that this is a corrupted file or a bad burn.
If you think about what a live image has to go through before it even reaches the point of dropping you at a hash prompt - loading the kernel image and miniroot, uncompressing and mounting the squashfs root filesystem, going through the init scripts, and eventually hauling the vast reptilian bulk of KDE off the filesystem and into main memory after you've typed "startx", I really think a corrupt download or a duff burn would have already presented themselves with far worse symptoms than something as trivial as a changed root password (refusals to boot, kernel panics, or filesystem corruption errors).
I've just booted off my copy of bt4-final.iso, and run "sshd-generate" (to generate a set of ssh host keys), followed by "/etc/init.d/ssh start" (to start the ssh daemon) and finally "ssh root@localhost". The password "toor" doesn't work. A quick check of /etc/ssh/sshd_config shows that PermitRootLogin is set to yes, so that's not the problem.
Typing "passwd root" (to change the root password) and setting it to something else and then trying again to ssh to localhost means I can log in successfully using my new password.
This pretty well proves that the root password on the live image isn't "toor".
Finally, because I'm absent-minded and I didn't think to save my /etc/shadow and /etc/passwd before changing root's password, I rebooted off the live image again and used John The Ripper to break the password.
For those interested in keeping track, here's a copy/paste of the steps:
OK, so John cracked the password in no time at all, but there's no password shown.. hmm..
root@bt:~# cd /pentest/passwords/jtr
root@bt:/pentest/passwords/jtr# ./unshadow /etc/passwd /etc/shadow | egrep ^root >p
root@bt:/pentest/passwords/jtr# cat p
root@bt:/pentest/passwords/jtr# ./john p
Loaded 1 password hash (Traditional DES [128/128 BS SSE2])
guesses: 1 time: 0:00:00:00 100% (2) c/s: 12471 trying: 12345 - boomer
OK, so testing a theory, here's a a C program that I quickly bodged together:
Note the output of my program (U6aMy0wojraho) matches root's password hash shown in the JTR phase above.
root@bt:~# cat foo.c
printf("%s\n", crypt("", "U6"));
root@bt:~# gcc foo.c -lcrypt -o foo
This pretty well shows that the root password on the live image is a zero-length string, not "toor".
If you check around on the site, you should find the mods and developers saying in about a hundred different threads that "toor" is the password that is set by the installer, it's not what's used by the live image.