RE: Grokster and your email
From: Amer Karim (amerk@telus.net)Date: 12/30/01
- Previous message: Dom De Vitto: "RE: Grokster and possible trojan"
- In reply to: Ken Pfeil: "RE: Grokster and your email"
- Next in thread: Kerosene: "Re: Grokster and your email"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Amer Karim" <amerk@telus.net> To: "VULN-DEV List" <VULN-DEV@SECURITYFOCUS.COM> Date: Sun, 30 Dec 2001 13:21:59 -0800
It's also installed with the gnutella client LimeWare. I dl'd the latest
version last night and tested it - NAV immediately picked up the dlder.exe
and backdoor.Trojan. I wonder if all these clients are infected - haven't
had a chance to test any of the others.
Regards,
Amer Karim
Nautilis Information Systems
Pager: 604-645-7729
e-mail: amerk@nautilis-sys.com
-----Original Message-----
From: Ken Pfeil [mailto:Ken@infosec101.org]
Sent: December 30, 2001 08:57
To: Markus Kern; yanker@sympatico.ca
Cc: vuln-dev@securityfocus.com
Subject: RE: Grokster and your email
Here's the write-up on TROJ_DLDER.A
http://www.antivirus.com/vinfo/virusencyclo/default5.asp?VName=TROJ_DLDER.A&
VSect=T
(Nice job Tamir :)
> -----Original Message-----
> From: Markus Kern [mailto:markus-kern@gmx.net]
> Sent: Sunday, December 30, 2001 11:38 AM
> To: yanker@sympatico.ca
> Cc: vuln-dev@securityfocus.com
> Subject: Re: Grokster and your email
>
>
>
>
> > I too got burned by Grokster, and removed it.
> > After removal, the dlder.exe program, and the
> > C:Program Files/Grokster/DB folder remained,
> > with 2 .dbb files. I opened them, and found one of
> > them had many, if not all, of my emails from my
> > Outlook Express Inbox mixed in with what I had
> > downloaded.
>
> I noticed similar behaviour with Kazaa, e.g. source code snippets in
> partially downloaded files. Since it doesn't make much sense to
> interleave personal data with stuff you download I've come up with the
> following explanation (much guesswork):
>
> Kazaa (and probably Grokster too) can download parts of files
> simultaneously from different sources. In order to do this it maps the
> local destination file to memory (using MapViewOfFile() or a similar
> function) and writes the downloaded file snippets at the offset in
> memory they belong. Until the entire file is downloaded there are
> parts that have never been written to by the application.
> Windows seems not zero those parts and they still contain old data from
> physical RAM, the swapfile or the disk.
>
> The .dbb files you mention are probably databases which are also good
> candidates for file mapping.
>
> > I don't know if my firewall stopped
> > them from getting this information, but it is not
> > something you want to see. Time for Netscape.
>
> I don't think the software attempted to send anything.
> It just failed to zero the file before using it which isn't much of a
> problem and would've just decreased performance.
>
> regards
> Markus
>
- Previous message: Dom De Vitto: "RE: Grokster and possible trojan"
- In reply to: Ken Pfeil: "RE: Grokster and your email"
- Next in thread: Kerosene: "Re: Grokster and your email"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
