Grokster and possible trojan

From: scott [gts] (scottat_private)
Date: Thu Dec 27 2001 - 12:49:37 PST

Next message: Hall, Philip: "RE: Grokster and possible trojan (part 2)"

Previous message: Shaun Clowes: "Re: Is GOT exploitable in solaris?"
Next in thread: Michael: "Re: Grokster and possible trojan"
Reply: Michael: "Re: Grokster and possible trojan"
Reply: jontat_private: "Re: Grokster and possible trojan"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I apologize if any of this is already known or not applicable
to this list, but i found something that disturbs me today
about grokster.

While going thru my registry today, i noticed the reg entry:
  SOFTWARE\Microsoft\windows\currentversion\run
  "dlder"="C:\winnt\explorer\explorer.exe"

C:\winnt\explorer\ turned out to be a hidden folder, with one
file "explorer.exe" (31Kb).  So i deleted the entry in the
registry, PGP-Wiped the directory and EXE file, and rebooted.

Upon rebooting, i noticed a "dlder.exe" hidden executable
in my C:\winnt\ folder (i dont know if it was there before,
but i think it was, i just didnt notice it).  

After opening up explorer.exe and dlder.exe in an editor
that displayed them as Hex, i noticed "clicktilluwin",
which is a (supposedly) optional add-on piece of software
that comes with Grokster.  I had installed grokster last
month and used it once, disliked it, then uninstalled it.

So it worries me that this "click till u win" thing that i
told grokster *not* to install, is still hanging around.

Then i called a friend of mine, who verified that he had
the same reg key and hidden folder/files.  he deleted the
affected registry keys and bogus "explorer.exe" and "dlder.exe"
files and rebooted.  Then, he did a fresh install of Grokster,
specifically telling it *not* to install "clicktilluwin",
then rebooted, and there the registry keys and hidden files
appeared again -- seems that "click till u win" is installed
no matter what you tell grokster.

I have no clue what these two binaries are doing to my
system, and it worries me that they might be keyloggers
(or something malicious).  I attached an email my friend
sent to me after he did some research into Grokster, and
now i am even more nervous.  It seems that the information
he found about the company is completely bogus....
(Please see attached email)

For more information and copies of the two binaries
that i found on my system, please go to:
http://furt.com/grokster/

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>

iQA/AwUBPCuJYcaXTGgZdrSUEQJ0mQCgzDuXQ4JLbEshiHs1UySN3Wt/hOkAoKiv
SZ6OlPu4ACdHv1V6V3iruLoY
=XTZ3
-----END PGP SIGNATURE-----

Next message: Hall, Philip: "RE: Grokster and possible trojan (part 2)"
Previous message: Shaun Clowes: "Re: Is GOT exploitable in solaris?"
Next in thread: Michael: "Re: Grokster and possible trojan"
Reply: Michael: "Re: Grokster and possible trojan"
Reply: jontat_private: "Re: Grokster and possible trojan"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Dec 27 2001 - 13:44:08 PST