RE: Grokster and possible trojan (part 2)

["Ken Pfeil" <Ken () infosec101 org>]

I've attached some of the dumpbin output from the .exe "Explorer.exe". I
haven't had a chance to run through all of it yet, maybe someone with more
time on their hands can do that ;-) First glance is pretty interesting
however, especially in RAW DATA#3..

Regards,
Ken

HBTM :-)

> -----Original Message-----
> From: scott [gts] [mailto:scott () graphictype com]
> Sent: Thursday, December 27, 2001 4:02 PM
> To: vuln-dev
> Subject: Grokster and possible trojan (part 2)
>
>
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> This is the email from jason () gonsalves ws detailing
> what he got when he tried to call the company and
> talk to them about the "click till u win" program.
>
> - -----------------------------------------------
> From: jason () gonsalves ws
> To: scott () graphictype com
> Date: Thu 12/27/2001 3:36 PM
>
> Grokster.com is registered to:
> Certified Corporate Services
> 7891 West Flagler Street 258
> Miami, Florida 33144, US
> 1-310-388-5666
>
> The number is not in service.  I called information (411) and they have no
> listings in the area for this company, grokster, ltd or anything similar.
> Grokster.com is hosted by tera-byte.com, a company out of
> Edmonton, Alberta,
> Canada.  It looks as though the Florida address is just to have a
> US mailing
> address.  Good idea considering I wouldn't have touched this crap software
> if I know they were based out of the West Indies.
>
> There are three confirmed incidents where upon installed the grokster
> client, third party spyware software was installed.  Regardless if you
> choose to install the software or not, they are still installing it.  I
> don't know how the software chooses what to install because on both of my
> tests, I selected NOT to have anything aside from the client
> installed.  On
> each occasion, a separate piece of software was installed.  Upon restarted
> my computer, my antivirus software alerted me to a modified explorer.exe
> file located on my c drive.  After further inspection, this is
> what I found.
> PAY ATTENTION!!!
>
> Grokster creates a hidden folder in your c:\windows, c:\winnt directory
> called "explorer" and places a 31K file called explorer.exe in
> there.  They
> think they are fucking slick... oh oh maybe they won't notice.  How about
> the registry key they add under "Dlder"  This gets added under "run" and
> points to the false explorer.exe file.
>
> When I downloaded their client, I wanted to download music.  I did not ask
> that all these shady little changes be made to my computer.  I am
> recommending that anyone using this software, remove it along
> with the files
> I mentioned in this e-mail.
>
> Do not delete explorer.exe from your windows directory, just the
> one in the
> hidden "explorer" folder.  There is also a file called Dlder.exe that is
> located in the windows directory that can be removed. The program
> this file
> is associated with is "ClickTillUWin" and I specifically
> requested this crap
> not be installed.
>
> I don't know about you but I'm not going to be using anything from this
> company anymore.  Bastards.
>
> -----BEGIN PGP SIGNATURE-----
> Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>
>
> iQA/AwUBPCuMQsaXTGgZdrSUEQKLfwCeJnmQUj25JFueF4Eko0MxzttXswIAn1TE
> bYaZUpoPpHLYXLR7Qsn0Bem4
> =jv2Z
> -----END PGP SIGNATURE-----

Attachment: db2.txt
Description: