[ISN] Popular file-share utilities contain Trojans

From: InfoSec News (isnat_private)
Date: Fri Jan 04 2002 - 03:05:32 PST

  • Next message: InfoSec News: "RE: [ISN] Satellite Command Security?"

    Forwarded from: Jei <jeiat_private>
    Popular file-share utilities contain Trojans
    By Thomas C Greene in Washington
    Posted: 03/01/2002 at 08:26 GMT
    Popular file-sharing software from Grokster and the Limewire Gnutella
    Client contain the W32.DlDer Trojan, Symantec revealed last week.
    According to several Reg readers, the KaZaA utility also contains the
    same infection.
    The Trojan here is a spyware application masquerading as a lottery
    game called ClickTilUWin. When installing the Grokster or Limewire
    software, and some versions of KaZaA, the user is given an option to
    enable the ClickTilUWin feature. Regardless of whether one accepts or
    declines, the Trojan is installed.
    Grokster has offered an explanation of this embarrassing oversight on
    its Web site:
    "Some of you may be wondering why this Trojan was in our installer at
    all," the company speculates wisely.
    "We sometimes bundle advertiser applications with our installer in
    order to help pay for our costs here at Grokster. We are normally
    given an installer from the advertiser which we run during the
    installation of Grokster. We have no access to the source code of
    these third-party installers and so we rely on what our advertisers
    say these programs do. To the best of our knowledge, this particular
    advertiser simply placed a link to a free online lottery on the
    desktop. We were never informed that it installed or was a Trojan."
    The company has released a utility which it says will remove the
    Trojan, and promises to have a clean version of its software available
    in a matter of days.
    Those who prefer to see to their own Trojan removal need only search
    for a hidden directory under their \Windows directory called
    \Explorer. Simply delete the \Windows\Explorer directory, along with
    the companion file Dlder.exe in the \Windows directory.
    The Trojan is not destructive, but does phone home to the ClickTilUWin
    Web site with user data which, presumably, is used for marketing
    purposes, or is perhaps forwarded to RIAA headquarters to assemble a
    database of copyright scofflaws.
    We don't know which; but we do know better than to install software we
    know nothing about. 
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.

    This archive was generated by hypermail 2b30 : Fri Jan 04 2002 - 13:26:39 PST