I've attached some of the dumpbin output from the .exe "Explorer.exe". I haven't had a chance to run through all of it yet, maybe someone with more time on their hands can do that ;-) First glance is pretty interesting however, especially in RAW DATA#3.. Regards, Ken HBTM :-) > -----Original Message----- > From: scott [gts] [mailto:scottat_private] > Sent: Thursday, December 27, 2001 4:02 PM > To: vuln-dev > Subject: Grokster and possible trojan (part 2) > > > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > This is the email from jasonat_private detailing > what he got when he tried to call the company and > talk to them about the "click till u win" program. > > - ----------------------------------------------- > From: jasonat_private > To: scottat_private > Date: Thu 12/27/2001 3:36 PM > > Grokster.com is registered to: > Certified Corporate Services > 7891 West Flagler Street 258 > Miami, Florida 33144, US > 1-310-388-5666 > > The number is not in service. I called information (411) and they have no > listings in the area for this company, grokster, ltd or anything similar. > Grokster.com is hosted by tera-byte.com, a company out of > Edmonton, Alberta, > Canada. It looks as though the Florida address is just to have a > US mailing > address. Good idea considering I wouldn't have touched this crap software > if I know they were based out of the West Indies. > > There are three confirmed incidents where upon installed the grokster > client, third party spyware software was installed. Regardless if you > choose to install the software or not, they are still installing it. I > don't know how the software chooses what to install because on both of my > tests, I selected NOT to have anything aside from the client > installed. On > each occasion, a separate piece of software was installed. Upon restarted > my computer, my antivirus software alerted me to a modified explorer.exe > file located on my c drive. After further inspection, this is > what I found. > PAY ATTENTION!!! > > Grokster creates a hidden folder in your c:\windows, c:\winnt directory > called "explorer" and places a 31K file called explorer.exe in > there. They > think they are fucking slick... oh oh maybe they won't notice. How about > the registry key they add under "Dlder" This gets added under "run" and > points to the false explorer.exe file. > > When I downloaded their client, I wanted to download music. I did not ask > that all these shady little changes be made to my computer. I am > recommending that anyone using this software, remove it along > with the files > I mentioned in this e-mail. > > Do not delete explorer.exe from your windows directory, just the > one in the > hidden "explorer" folder. There is also a file called Dlder.exe that is > located in the windows directory that can be removed. The program > this file > is associated with is "ClickTillUWin" and I specifically > requested this crap > not be installed. > > I don't know about you but I'm not going to be using anything from this > company anymore. Bastards. > > -----BEGIN PGP SIGNATURE----- > Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com> > > iQA/AwUBPCuMQsaXTGgZdrSUEQKLfwCeJnmQUj25JFueF4Eko0MxzttXswIAn1TE > bYaZUpoPpHLYXLR7Qsn0Bem4 > =jv2Z > -----END PGP SIGNATURE----- >
This archive was generated by hypermail 2b30 : Thu Dec 27 2001 - 17:03:02 PST