RE: Grokster and possible trojan

["Ken Pfeil" <Ken () infosec101 org>]

Save yourself some time Scott,

Both files come up as TROJ_DLDER.A using Trend Micro's online scanner. It
evidently hasn't made it into their online encyclopedia yet. Looks like
their signature (991) was updated for this one two days ago.

Regards,
Ken



> -----Original Message-----
> From: scott () falcon graphictype com [mailto:scott () falcon graphictype com]
> Sent: Thursday, December 27, 2001 8:30 PM
> To: Ken @Work
> Cc: Michael; vuln-dev () securityfocus com
> Subject: RE: Grokster and possible trojan
>
>
> I'm not even positive that it's only one trojan that i
> found on my system, perhaps it's two separate viruses,
> and i am thinking it's a single one.
>
> In reference to "dldr.exe", i'm not positive where
> this came from, but i'm 90% certain that "explorer.exe"
> was installed by Grokster (as the Click Till U Win game).
> The reason i think that they're both part of the same
> trojan is becuase i find "clicktilluwin" in a hexdump
> of *both* files - which is too much of a coicidence
> for me.
>
> Even if you un-install it, i'm pretty sure it'll hang
> around... after i deleted "dldr.exe" and rebooted my
> machine, i found it right back in "C:\winnt\"...
> as for "explorer.exe" in "C:\winnt\explorer\"
> it still hasn't resurfaced after one reboot,
> but perhaps it'll come back tomorrow, when i log
> into the machine at work again...
>
> On Thu, 27 Dec 2001, Ken @Work wrote:
>
> > Is this in relation to LIMEWIRE?  I have the Dlder.exe file but
> no reg entry
> > under that location or a hidden folder in Winnt called 'explorer' with a
> > file 'explorer.exe' in it??   If so, I'm uninstalling this shit asap!
> >
> > Let me know.
> >
> > thanks,
> >
> > A concerned net citizen!