RE: Grokster and your email

["Amer Karim" <amerk () telus net>]

It's also installed with the gnutella client LimeWare.  I dl'd the latest
version last night and tested it - NAV immediately picked up the dlder.exe
and backdoor.Trojan.  I wonder if all these clients are infected - haven't
had a chance to test any of the others.

Regards,
Amer Karim
Nautilis Information Systems
Pager: 604-645-7729
e-mail: amerk () nautilis-sys com

-----Original Message-----
From: Ken Pfeil [mailto:Ken () infosec101 org]
Sent: December 30, 2001 08:57
To: Markus Kern; yanker () sympatico ca
Cc: vuln-dev () securityfocus com
Subject: RE: Grokster and your email

Here's the write-up on TROJ_DLDER.A

http://www.antivirus.com/vinfo/virusencyclo/default5.asp?VName=TROJ_DLDER.A&;
VSect=T

(Nice job Tamir :)

> -----Original Message-----
> From: Markus Kern [mailto:markus-kern () gmx net]
> Sent: Sunday, December 30, 2001 11:38 AM
> To: yanker () sympatico ca
> Cc: vuln-dev () securityfocus com
> Subject: Re: Grokster and your email
>
>
>
>
> > I too got burned by Grokster, and removed it.
> > After removal, the dlder.exe program, and the
> > C:Program Files/Grokster/DB folder remained,
> > with 2 .dbb files. I opened them, and found one of
> > them had many, if not all, of my emails from my
> > Outlook Express Inbox mixed in with what I had
> > downloaded.
>
> I noticed similar behaviour with Kazaa, e.g. source code snippets in
> partially downloaded files. Since it doesn't make much sense to
> interleave personal data with stuff you download I've come up with the
> following explanation (much guesswork):
>
> Kazaa (and probably Grokster too) can download parts of files
> simultaneously from different sources. In order to do this it maps the
> local destination file to memory (using MapViewOfFile() or a similar
> function) and writes the downloaded file snippets at the offset in
> memory they belong. Until the entire file is downloaded there are
> parts that have never been written to by the application.
> Windows seems not zero those parts and they still contain old data from
> physical RAM, the swapfile or the disk.
>
> The .dbb files you mention are probably databases which are also good
> candidates for file mapping.
>
> > I don't know if my firewall stopped
> > them from getting this information, but it is not
> > something you want to see. Time for Netscape.
>
> I don't think the software attempted to send anything.
> It just failed to zero the file before using it which isn't much of a
> problem and would've just decreased performance.
>
> regards
> Markus