RE: Grokster and possible trojan (part 2)

From: Ken Pfeil (Ken@infosec101.org)
Date: 12/28/01 

From: "Ken Pfeil" <Ken@infosec101.org>
To: "vuln-dev" <vuln-dev@securityfocus.com>
Date: Thu, 27 Dec 2001 19:50:38 -0500

I've attached some of the dumpbin output from the .exe "Explorer.exe". I
haven't had a chance to run through all of it yet, maybe someone with more
time on their hands can do that ;-) First glance is pretty interesting
however, especially in RAW DATA#3..

Regards,
Ken

HBTM :-)

> -----Original Message-----
> From: scott [gts] [mailto:scott@graphictype.com]
> Sent: Thursday, December 27, 2001 4:02 PM
> To: vuln-dev
> Subject: Grokster and possible trojan (part 2)
>
>
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> This is the email from jason@gonsalves.ws detailing
> what he got when he tried to call the company and
> talk to them about the "click till u win" program.
>
> - -----------------------------------------------
> From: jason@gonsalves.ws
> To: scott@graphictype.com
> Date: Thu 12/27/2001 3:36 PM
>
> Grokster.com is registered to:
> Certified Corporate Services
> 7891 West Flagler Street 258
> Miami, Florida 33144, US
> 1-310-388-5666
>
> The number is not in service. I called information (411) and they have no
> listings in the area for this company, grokster, ltd or anything similar.
> Grokster.com is hosted by tera-byte.com, a company out of
> Edmonton, Alberta,
> Canada. It looks as though the Florida address is just to have a
> US mailing
> address. Good idea considering I wouldn't have touched this crap software
> if I know they were based out of the West Indies.
>
> There are three confirmed incidents where upon installed the grokster
> client, third party spyware software was installed. Regardless if you
> choose to install the software or not, they are still installing it. I
> don't know how the software chooses what to install because on both of my
> tests, I selected NOT to have anything aside from the client
> installed. On
> each occasion, a separate piece of software was installed. Upon restarted
> my computer, my antivirus software alerted me to a modified explorer.exe
> file located on my c drive. After further inspection, this is
> what I found.
> PAY ATTENTION!!!
>
> Grokster creates a hidden folder in your c:\windows, c:\winnt directory
> called "explorer" and places a 31K file called explorer.exe in
> there. They
> think they are fucking slick... oh oh maybe they won't notice. How about
> the registry key they add under "Dlder" This gets added under "run" and
> points to the false explorer.exe file.
>
> When I downloaded their client, I wanted to download music. I did not ask
> that all these shady little changes be made to my computer. I am
> recommending that anyone using this software, remove it along
> with the files
> I mentioned in this e-mail.
>
> Do not delete explorer.exe from your windows directory, just the
> one in the
> hidden "explorer" folder. There is also a file called Dlder.exe that is
> located in the windows directory that can be removed. The program
> this file
> is associated with is "ClickTillUWin" and I specifically
> requested this crap
> not be installed.
>
> I don't know about you but I'm not going to be using anything from this
> company anymore. Bastards.
>
> -----BEGIN PGP SIGNATURE-----
> Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>
>
> iQA/AwUBPCuMQsaXTGgZdrSUEQKLfwCeJnmQUj25JFueF4Eko0MxzttXswIAn1TE
> bYaZUpoPpHLYXLR7Qsn0Bem4
> =jv2Z
> -----END PGP SIGNATURE-----
>

Quantcast