Re: Grokster and possible trojan

["Michael" <scorpsec () optushome com au>]

I had this same thing on my Win98 machine the other day, but without
Grokster. Could be a totally different thing, but ohwell ;)

Turned out that in \windows, there was a hidden folder called "explorer",
with explorer.exe in it. Norton AV picked it up as Backdoor.Trojan, and I
removed it immediately. Before I did that, I was getting Visual C++ errors
from "explorer.exe", which first made me a bit suspicious about what someone
could have put on my computer..

Hope that helps.

----- Original Message -----
From: "scott [gts]" <scott () graphictype com>
To: "vuln-dev" <vuln-dev () securityfocus com>
Sent: Friday, December 28, 2001 7:49 AM
Subject: Grokster and possible trojan


> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> I apologize if any of this is already known or not applicable
> to this list, but i found something that disturbs me today
> about grokster.
>
> While going thru my registry today, i noticed the reg entry:
>   SOFTWARE\Microsoft\windows\currentversion\run
>   "dlder"="C:\winnt\explorer\explorer.exe"
>
> C:\winnt\explorer\ turned out to be a hidden folder, with one
> file "explorer.exe" (31Kb).  So i deleted the entry in the
> registry, PGP-Wiped the directory and EXE file, and rebooted.
>
> Upon rebooting, i noticed a "dlder.exe" hidden executable
> in my C:\winnt\ folder (i dont know if it was there before,
> but i think it was, i just didnt notice it).
>
> After opening up explorer.exe and dlder.exe in an editor
> that displayed them as Hex, i noticed "clicktilluwin",
> which is a (supposedly) optional add-on piece of software
> that comes with Grokster.  I had installed grokster last
> month and used it once, disliked it, then uninstalled it.
>
> So it worries me that this "click till u win" thing that i
> told grokster *not* to install, is still hanging around.
>
> Then i called a friend of mine, who verified that he had
> the same reg key and hidden folder/files.  he deleted the
> affected registry keys and bogus "explorer.exe" and "dlder.exe"
> files and rebooted.  Then, he did a fresh install of Grokster,
> specifically telling it *not* to install "clicktilluwin",
> then rebooted, and there the registry keys and hidden files
> appeared again -- seems that "click till u win" is installed
> no matter what you tell grokster.
>
> I have no clue what these two binaries are doing to my
> system, and it worries me that they might be keyloggers
> (or something malicious).  I attached an email my friend
> sent to me after he did some research into Grokster, and
> now i am even more nervous.  It seems that the information
> he found about the company is completely bogus....
> (Please see attached email)
>
> For more information and copies of the two binaries
> that i found on my system, please go to:
> http://furt.com/grokster/
>
> -----BEGIN PGP SIGNATURE-----
> Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>
>
> iQA/AwUBPCuJYcaXTGgZdrSUEQJ0mQCgzDuXQ4JLbEshiHs1UySN3Wt/hOkAoKiv
> SZ6OlPu4ACdHv1V6V3iruLoY
> =XTZ3
> -----END PGP SIGNATURE-----