Here's the write-up on TROJ_DLDER.A http://www.antivirus.com/vinfo/virusencyclo/default5.asp?VName=TROJ_DLDER.A& VSect=T (Nice job Tamir :) > -----Original Message----- > From: Markus Kern [mailto:markus-kernat_private] > Sent: Sunday, December 30, 2001 11:38 AM > To: yankerat_private > Cc: vuln-devat_private > Subject: Re: Grokster and your email > > > > > > I too got burned by Grokster, and removed it. > > After removal, the dlder.exe program, and the > > C:Program Files/Grokster/DB folder remained, > > with 2 .dbb files. I opened them, and found one of > > them had many, if not all, of my emails from my > > Outlook Express Inbox mixed in with what I had > > downloaded. > > I noticed similar behaviour with Kazaa, e.g. source code snippets in > partially downloaded files. Since it doesn't make much sense to > interleave personal data with stuff you download I've come up with the > following explanation (much guesswork): > > Kazaa (and probably Grokster too) can download parts of files > simultaneously from different sources. In order to do this it maps the > local destination file to memory (using MapViewOfFile() or a similar > function) and writes the downloaded file snippets at the offset in > memory they belong. Until the entire file is downloaded there are > parts that have never been written to by the application. > Windows seems not zero those parts and they still contain old data from > physical RAM, the swapfile or the disk. > > The .dbb files you mention are probably databases which are also good > candidates for file mapping. > > > I don't know if my firewall stopped > > them from getting this information, but it is not > > something you want to see. Time for Netscape. > > I don't think the software attempted to send anything. > It just failed to zero the file before using it which isn't much of a > problem and would've just decreased performance. > > regards > Markus >
This archive was generated by hypermail 2b30 : Sun Dec 30 2001 - 12:56:21 PST