Vulnerability Development mailing list archives
RE: Grokster and possible trojan
From: "Dom De Vitto" <Dom () DeVitto com>
Date: Sun, 30 Dec 2001 23:21:07 -0000
Ooops, I just upgraded to LimeWire 2.0.2. and even if you choose not to install all the ad cruft, you still get dldr.exe. Comviently, NAV spotted it and killed it before it hit my disk ;-) Dom - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Dom De Vitto Secure Technologies Ltd mailto:dom () devitto com Mob. +44 7855 805 271 http://www.devitto.com Fax. +44 8700 548 750 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-----Original Message----- From: Dom De Vitto [mailto:Dom () DeVitto com] Sent: 28 December 2001 12:07 To: scott () falcon graphictype com; Ken @Work Cc: Michael; vuln-dev () securityfocus com Subject: RE: Grokster and possible trojan I'm pretty sure LimeWire is clean, at least the version I'm using (version 1.6b). Obviously, I didn't install any of the freebee sponsor/spyware stuff. I'm pretty paranoid and though, I'm firewalled and still run ZoneAlarm, SurfinShield etc.... and also "clicktilluwin" doesn't exist as a raw (ascii) string anywhere on my system... Of course, later versions of LimeWire (and BearShare) may/will have different sponsors, and different "Ts & Cs". Dom - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Dom De Vitto Secure Technologies Ltd mailto:dom () devitto com Mob. +44 7855 805 271 http://www.devitto.com Fax. +44 8700 548 750 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ------Original Message----- From: scott () falcon graphictype com [mailto:scott () falcon graphictype com] Sent: 28 December 2001 01:30 To: Ken @Work Cc: Michael; vuln-dev () securityfocus com Subject: RE: Grokster and possible trojan I'm not even positive that it's only one trojan that i found on my system, perhaps it's two separate viruses, and i am thinking it's a single one. In reference to "dldr.exe", i'm not positive where this came from, but i'm 90% certain that "explorer.exe" was installed by Grokster (as the Click Till U Win game). The reason i think that they're both part of the same trojan is becuase i find "clicktilluwin" in a hexdump of *both* files - which is too much of a coicidence for me. Even if you un-install it, i'm pretty sure it'll hang around... after i deleted "dldr.exe" and rebooted my machine, i found it right back in "C:\winnt\"... as for "explorer.exe" in "C:\winnt\explorer\" it still hasn't resurfaced after one reboot, but perhaps it'll come back tomorrow, when i log into the machine at work again... On Thu, 27 Dec 2001, Ken @Work wrote:Is this in relation to LIMEWIRE? I have the Dlder.exe file butno reg entryunder that location or a hidden folder in Winnt called'explorer' with afile 'explorer.exe' in it?? If so, I'm uninstalling this shit asap! Let me know. thanks, A concerned net citizen!
Current thread:
- Grokster and possible trojan scott [gts] (Dec 27)
- Re: Grokster and possible trojan Michael (Dec 27)
- Re: Grokster and possible trojan jont (Dec 28)
- <Possible follow-ups>
- RE: Grokster and possible trojan scott (Dec 27)
- RE: Grokster and possible trojan Brendon Crawford (Dec 28)
- RE: Grokster and possible trojan Dom De Vitto (Dec 28)
- RE: Grokster and possible trojan Dom De Vitto (Dec 30)
- RE: Grokster and possible trojan Ken Pfeil (Dec 28)