Grokster and possible trojan (part 2)

From: scott [gts] (scottat_private)
Date: Thu Dec 27 2001 - 13:01:54 PST

Next message: Shaun Clowes: "Re: Is GOT exploitable in solaris?"

Previous message: Michal Zalewski: "Re: mount"
Next in thread: Hall, Philip: "RE: Grokster and possible trojan (part 2)"
Reply: Hall, Philip: "RE: Grokster and possible trojan (part 2)"
Reply: Ken Pfeil: "RE: Grokster and possible trojan (part 2)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

This is the email from jasonat_private detailing
what he got when he tried to call the company and
talk to them about the "click till u win" program.

- -----------------------------------------------
From: jasonat_private
To: scottat_private
Date: Thu 12/27/2001 3:36 PM

Grokster.com is registered to:
Certified Corporate Services
7891 West Flagler Street 258
Miami, Florida 33144, US
1-310-388-5666

The number is not in service.  I called information (411) and they have no
listings in the area for this company, grokster, ltd or anything similar.
Grokster.com is hosted by tera-byte.com, a company out of Edmonton, Alberta,
Canada.  It looks as though the Florida address is just to have a US mailing
address.  Good idea considering I wouldn't have touched this crap software
if I know they were based out of the West Indies.

There are three confirmed incidents where upon installed the grokster
client, third party spyware software was installed.  Regardless if you
choose to install the software or not, they are still installing it.  I
don't know how the software chooses what to install because on both of my
tests, I selected NOT to have anything aside from the client installed.  On
each occasion, a separate piece of software was installed.  Upon restarted
my computer, my antivirus software alerted me to a modified explorer.exe
file located on my c drive.  After further inspection, this is what I found.
PAY ATTENTION!!!

Grokster creates a hidden folder in your c:\windows, c:\winnt directory
called "explorer" and places a 31K file called explorer.exe in there.  They
think they are fucking slick... oh oh maybe they won't notice.  How about
the registry key they add under "Dlder"  This gets added under "run" and
points to the false explorer.exe file.

When I downloaded their client, I wanted to download music.  I did not ask
that all these shady little changes be made to my computer.  I am
recommending that anyone using this software, remove it along with the files
I mentioned in this e-mail.

Do not delete explorer.exe from your windows directory, just the one in the
hidden "explorer" folder.  There is also a file called Dlder.exe that is
located in the windows directory that can be removed. The program this file
is associated with is "ClickTillUWin" and I specifically requested this crap
not be installed.

I don't know about you but I'm not going to be using anything from this
company anymore.  Bastards.

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>

iQA/AwUBPCuMQsaXTGgZdrSUEQKLfwCeJnmQUj25JFueF4Eko0MxzttXswIAn1TE
bYaZUpoPpHLYXLR7Qsn0Bem4
=jv2Z
-----END PGP SIGNATURE-----

Next message: Shaun Clowes: "Re: Is GOT exploitable in solaris?"
Previous message: Michal Zalewski: "Re: mount"
Next in thread: Hall, Philip: "RE: Grokster and possible trojan (part 2)"
Reply: Hall, Philip: "RE: Grokster and possible trojan (part 2)"
Reply: Ken Pfeil: "RE: Grokster and possible trojan (part 2)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Dec 27 2001 - 13:40:00 PST