RE: Grokster and possible trojan

["Dom De Vitto" <Dom () DeVitto com>]

Ooops, I just upgraded to LimeWire 2.0.2. and even if you choose
not to install all the ad cruft, you still get dldr.exe.

Comviently, NAV spotted it and killed it before it hit my disk ;-)

Dom
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  Dom De Vitto                               Secure Technologies Ltd
  mailto:dom () devitto com                       Mob. +44 7855 805 271
  http://www.devitto.com                       Fax. +44 8700 548 750
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

> -----Original Message-----
> From: Dom De Vitto [mailto:Dom () DeVitto com]
> Sent: 28 December 2001 12:07
> To: scott () falcon graphictype com; Ken @Work
> Cc: Michael; vuln-dev () securityfocus com
> Subject: RE: Grokster and possible trojan
>
>
> I'm pretty sure LimeWire is clean, at least the version I'm using
> (version 1.6b).  Obviously, I didn't install any of the freebee
> sponsor/spyware stuff.
>
> I'm pretty paranoid and though, I'm firewalled and still run ZoneAlarm,
> SurfinShield etc.... and also "clicktilluwin" doesn't exist as a raw
> (ascii) string anywhere on my system...
>
> Of course, later versions of LimeWire (and BearShare) may/will have
> different sponsors, and different "Ts & Cs".
>
> Dom
> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
>   Dom De Vitto                               Secure Technologies Ltd
>   mailto:dom () devitto com                       Mob. +44 7855 805 271
>   http://www.devitto.com                       Fax. +44 8700 548 750
> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
>
> > -----Original Message-----
> > From: scott () falcon graphictype com [mailto:scott () falcon graphictype com]
> > Sent: 28 December 2001 01:30
> > To: Ken @Work
> > Cc: Michael; vuln-dev () securityfocus com
> > Subject: RE: Grokster and possible trojan
> >
> >
> > I'm not even positive that it's only one trojan that i
> > found on my system, perhaps it's two separate viruses,
> > and i am thinking it's a single one.
> >
> > In reference to "dldr.exe", i'm not positive where
> > this came from, but i'm 90% certain that "explorer.exe"
> > was installed by Grokster (as the Click Till U Win game).
> > The reason i think that they're both part of the same
> > trojan is becuase i find "clicktilluwin" in a hexdump
> > of *both* files - which is too much of a coicidence
> > for me.
> >
> > Even if you un-install it, i'm pretty sure it'll hang
> > around... after i deleted "dldr.exe" and rebooted my
> > machine, i found it right back in "C:\winnt\"...
> > as for "explorer.exe" in "C:\winnt\explorer\"
> > it still hasn't resurfaced after one reboot,
> > but perhaps it'll come back tomorrow, when i log
> > into the machine at work again...
> >
> > On Thu, 27 Dec 2001, Ken @Work wrote:
> >
> > > Is this in relation to LIMEWIRE?  I have the Dlder.exe file but
> > no reg entry
> > > under that location or a hidden folder in Winnt called
> 'explorer' with a
> > > file 'explorer.exe' in it??   If so, I'm uninstalling this shit asap!
> > >
> > > Let me know.
> > >
> > > thanks,
> > >
> > > A concerned net citizen!