RE: Grokster and possible trojan

From: Dom De Vitto (Dom@DeVitto.com)
Date: 12/31/01 

From: "Dom De Vitto" <Dom@DeVitto.com>
To: "Dom De Vitto" <Dom@DeVitto.com>, <scott@falcon.graphictype.com>, "Ken @Work" <kludeman@adi-cs.com>
Date: Sun, 30 Dec 2001 23:21:07 -0000

Ooops, I just upgraded to LimeWire 2.0.2. and even if you choose
not to install all the ad cruft, you still get dldr.exe.

Comviently, NAV spotted it and killed it before it hit my disk ;-)

Dom
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  Dom De Vitto Secure Technologies Ltd
  mailto:dom@devitto.com Mob. +44 7855 805 271
  http://www.devitto.com Fax. +44 8700 548 750
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

> -----Original Message-----
> From: Dom De Vitto [mailto:Dom@DeVitto.com]
> Sent: 28 December 2001 12:07
> To: scott@falcon.graphictype.com; Ken @Work
> Cc: Michael; vuln-dev@securityfocus.com
> Subject: RE: Grokster and possible trojan
>
>
> I'm pretty sure LimeWire is clean, at least the version I'm using
> (version 1.6b). Obviously, I didn't install any of the freebee
> sponsor/spyware stuff.
>
> I'm pretty paranoid and though, I'm firewalled and still run ZoneAlarm,
> SurfinShield etc.... and also "clicktilluwin" doesn't exist as a raw
> (ascii) string anywhere on my system...
>
> Of course, later versions of LimeWire (and BearShare) may/will have
> different sponsors, and different "Ts & Cs".
>
> Dom
> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
> Dom De Vitto Secure Technologies Ltd
> mailto:dom@devitto.com Mob. +44 7855 805 271
> http://www.devitto.com Fax. +44 8700 548 750
> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
>
> > -----Original Message-----
> > From: scott@falcon.graphictype.com [mailto:scott@falcon.graphictype.com]
> > Sent: 28 December 2001 01:30
> > To: Ken @Work
> > Cc: Michael; vuln-dev@securityfocus.com
> > Subject: RE: Grokster and possible trojan
> >
> >
> > I'm not even positive that it's only one trojan that i
> > found on my system, perhaps it's two separate viruses,
> > and i am thinking it's a single one.
> >
> > In reference to "dldr.exe", i'm not positive where
> > this came from, but i'm 90% certain that "explorer.exe"
> > was installed by Grokster (as the Click Till U Win game).
> > The reason i think that they're both part of the same
> > trojan is becuase i find "clicktilluwin" in a hexdump
> > of *both* files - which is too much of a coicidence
> > for me.
> >
> > Even if you un-install it, i'm pretty sure it'll hang
> > around... after i deleted "dldr.exe" and rebooted my
> > machine, i found it right back in "C:\winnt\"...
> > as for "explorer.exe" in "C:\winnt\explorer\"
> > it still hasn't resurfaced after one reboot,
> > but perhaps it'll come back tomorrow, when i log
> > into the machine at work again...
> >
> > On Thu, 27 Dec 2001, Ken @Work wrote:
> >
> > > Is this in relation to LIMEWIRE? I have the Dlder.exe file but
> > no reg entry
> > > under that location or a hidden folder in Winnt called
> 'explorer' with a
> > > file 'explorer.exe' in it?? If so, I'm uninstalling this *** asap!
> > >
> > > Let me know.
> > >
> > > thanks,
> > >
> > > A concerned net citizen!
> >
> >

Quantcast