Vulnerability Development mailing list archives
RE: Grokster and your email
From: "Amer Karim" <amerk () telus net>
Date: Sun, 30 Dec 2001 13:21:59 -0800
It's also installed with the gnutella client LimeWare. I dl'd the latest version last night and tested it - NAV immediately picked up the dlder.exe and backdoor.Trojan. I wonder if all these clients are infected - haven't had a chance to test any of the others. Regards, Amer Karim Nautilis Information Systems Pager: 604-645-7729 e-mail: amerk () nautilis-sys com -----Original Message----- From: Ken Pfeil [mailto:Ken () infosec101 org] Sent: December 30, 2001 08:57 To: Markus Kern; yanker () sympatico ca Cc: vuln-dev () securityfocus com Subject: RE: Grokster and your email Here's the write-up on TROJ_DLDER.A http://www.antivirus.com/vinfo/virusencyclo/default5.asp?VName=TROJ_DLDER.A& VSect=T (Nice job Tamir :)
-----Original Message----- From: Markus Kern [mailto:markus-kern () gmx net] Sent: Sunday, December 30, 2001 11:38 AM To: yanker () sympatico ca Cc: vuln-dev () securityfocus com Subject: Re: Grokster and your emailI too got burned by Grokster, and removed it. After removal, the dlder.exe program, and the C:Program Files/Grokster/DB folder remained, with 2 .dbb files. I opened them, and found one of them had many, if not all, of my emails from my Outlook Express Inbox mixed in with what I had downloaded.I noticed similar behaviour with Kazaa, e.g. source code snippets in partially downloaded files. Since it doesn't make much sense to interleave personal data with stuff you download I've come up with the following explanation (much guesswork): Kazaa (and probably Grokster too) can download parts of files simultaneously from different sources. In order to do this it maps the local destination file to memory (using MapViewOfFile() or a similar function) and writes the downloaded file snippets at the offset in memory they belong. Until the entire file is downloaded there are parts that have never been written to by the application. Windows seems not zero those parts and they still contain old data from physical RAM, the swapfile or the disk. The .dbb files you mention are probably databases which are also good candidates for file mapping.I don't know if my firewall stopped them from getting this information, but it is not something you want to see. Time for Netscape.I don't think the software attempted to send anything. It just failed to zero the file before using it which isn't much of a problem and would've just decreased performance. regards Markus
Current thread:
- Grokster and your email yanker (Dec 29)
- Re: Grokster and your email Mark L'Italien (Dec 29)
- Re: Grokster and your email Michael (Dec 30)
- Re: Grokster and your email Markus Kern (Dec 30)
- RE: Grokster and your email Ken Pfeil (Dec 30)
- RE: Grokster and your email Amer Karim (Dec 30)
- Re: Grokster and your email Kerosene (Dec 30)
- RE: Grokster and your email Ken Pfeil (Dec 30)
- <Possible follow-ups>
- RE: Grokster and your email Holmes, Ben (Dec 30)
- Re: Grokster and your email Mark L'Italien (Dec 29)