Hurring.com »

Content last changed: May 11, 2002
Last updated: $Date: 2006/07/08 21:46:55 $

Information about the possible Grokster trojan/backdoor.
I do not make any claims to the veracity of this information. This information is only here for archival purposes.

Relevant Links:

May 11, 2002

The case seems closed

After a few threatening "anonymous" emails (originating from ISP's in canada -- *hint* *hint*, canada is where grokster.com was registered -- see below email from Jason), and after seeing how things have gone since December 2001, i think that grokster (and a few other companies) have wised up and not made their spying so blatanly obvious (if they are even still doing it at all). So for all intents and purposes, i think it's relatively safe to assume that this particular backdoor/trojan has been removed from Grokster.

But i just want to say that from the first moment i noticed the spyware/backdoor being installed to my computer, i have maintained that i *NEVER* agreed to have it installed (and actually installed grokster multiple times to verify that the spyware/backdoor was in fact being installed against my wishes, so please don't email me to say that the spyware was optional, becuase i checked that hypothesis)

But, if you're still paranoid like me, you might have extra piece of mind using "cleaned" file-sharing clients at: http://cleanclients.edot.ch

December 27, 2001

Norton AntiVirus didnt seem to catch it at first 

Beware of this trojan.  I did a scan of my computer today
with Norton Anti-Virus (which was last LiveUpdated about a week ago)
and it didnt catch anything.  Then i LiveUpdated at 4pm 12/27/01 and 
did another scan - still didnt find anything.  Then, only when
i tried to add the infected "explorer.exe" to a zip file, it popped 
up a "Virus Alert" box that told me it quarantined the infected 
"Trojan Backdoor explorer.exe" file.  (It did nothing when i tried 
to add "dlder.exe" to the zip file, which worries me).

By default, the trojan "explorer.exe" is hidden, and it seems that Norton
skipped over hidden files when doing a full-system scan, so even
if you have an anti-virus program, please verify the configuration
to make sure it scans hidden files, and please also check for 
infected files and registry entries manually.

Update: (Thurs 12/27/2001 8:30 PM)

When i got home, i copied the infected "explorer.exe" file to my
harddrive and then scanned with a freshly-liveupdated Norton Internet
Security 2002, and it caught it... so i amend that previous paragraph,
norton has this virus listed as a "Trojan.Backdoor", and caught it
on my home system.

December 27, 2001

Here's the email sent to vuln-dev@securityfocus.com

To: vuln-dev@securityfocus.com
From: 
Date: Thu 12/27/2001 3:50 PM

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I apologize if any of this is already known or not applicable
to this list, but i found something that disturbs me today
about grokster.

While going thru my registry today, i noticed the reg entry:
  SOFTWARE\Microsoft\windows\currentversion\run
  "dlder"="C:\winnt\explorer\explorer.exe"

C:\winnt\explorer\ turned out to be a hidden folder, with one
file "explorer.exe" (31Kb).  So i deleted the entry in the
registry, PGP-Wiped the directory and EXE file, and rebooted.

Upon rebooting, i noticed a "dlder.exe" hidden executable
in my C:\winnt\ folder (i dont know if it was there before,
but i think it was, i just didnt notice it).

After opening up explorer.exe and dlder.exe in an editor
that displayed them as Hex, i noticed "clicktilluwin",
which is a (supposedly) optional add-on piece of software
that comes with Grokster.  I had installed grokster last
month and used it once, disliked it, then uninstalled it.

So it worries me that this "click till u win" thing that i
told grokster *not* to install, is still hanging around.

Then i called a friend of mine, who verified that he had
the same reg key and hidden folder/files.  he deleted the
affected registry keys and bogus "explorer.exe" and "dlder.exe"
files and rebooted.  Then, he did a fresh install of Grokster,
specifically telling it *not* to install "clicktilluwin",
then rebooted, and there the registry keys and hidden files
appeared again -- seems that "click till u win" is installed
no matter what you tell grokster.

I have no clue what these two binaries are doing to my
system, and it worries me that they might be keyloggers
(or something malicious).  I attached an email my friend
sent to me after he did some research into Grokster, and
now i am even more nervous.  It seems that the information
he found about the company is completely bogus....
(Please see attached email)

For more information and copies of the two binaries
that i found on my system, please go to:
http://furt.com/grokster/

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 7.0.3 for non-commercial use 

iQA/AwUBPCuJYcaXTGgZdrSUEQJ0mQCgzDuXQ4JLbEshiHs1UySN3Wt/hOkAoKiv
SZ6OlPu4ACdHv1V6V3iruLoY
=XTZ3
-----END PGP SIGNATURE-----

December 27, 2001

Here's the email i received from detailing what he found out about 'grokster.com': 

Thu 12/27/2001 3:36 PM

Read through and you will see why this shady company can't be trusted...

Grokster.com is registered to:

Certified Corporate Services
7891 West Flagler Street 258
Miami, Florida 33144, US
1-310-388-5666

The number is not in service.  I called information (411) and they have no
listings in the area for this company, grokster, ltd or anything similar.
Grokster.com is hosted by tera-byte.com, a company out of Edmonton, Alberta,
Canada.  It looks as though the Florida address is just to have a US mailing
address.  Good idea considering I wouldn't have touched this crap software
if I know they were based out of the West Indies.

There are three confirmed incidents where upon installed the grokster
client, third party spyware software was installed.  Regardless if you
choose to install the software or not, they are still installing it.  I
don't know how the software chooses what to install because on both of my
tests, I selected NOT to have anything aside from the client installed.  On
each occasion, a separate piece of software was installed.  Upon restarted
my computer, my antivirus software alerted me to a modified explorer.exe
file located on my c drive.  After further inspection, this is what I found.
PAY ATTENTION!!!

Grokster creates a hidden folder in your c:\windows, c:\winnt directory
called "explorer" and places a 31K file called explorer.exe in there.  They
think they are fucking slick... oh oh maybe they won't notice.  How about
the registry key they add under "Dlder"  This gets added under "run" and
points to the false explorer.exe file.

When I downloaded their client, I wanted to download music.  I did not ask
that all these shady little changes be made to my computer.  I am
recommending that anyone using this software, remove it along with the files
I mentioned in this e-mail.

Do not delete explorer.exe from your windows directory, just the one in the
hidden "explorer" folder.  There is also a file called Dlder.exe that is
located in the windows directory that can be removed. The program this file
is associated with is "ClickTillUWin" and I specifically requested this crap
not be installed.

I don't know about you but I'm not going to be using anything from this
company anymore.  Bastards.

December 27, 2001

Information about the domain name that appears in "explorer.exe" 

Thu 12/27/2001 9:00 PM

Information about www.2001-007.com (The only domain named
in the "explorer.exe" file) is as follows:

http://www.2001-007.com/index.asp script is getting passed
such things as User_IP=... and userid=... Which leads me to
believe that it's passing infected computers' IP addresses,
and some form of ID to let the script's authour access the
infected computers (or perhaps just record some information
about the infected computers)

http://2001-007.com/ gives me "Directory Listing Denied",
when i try and submit a URL with paramaters in the script:
http://www.2001-007.com/index.asp?UserURL=GET+/&User_IP=127.0.0.1 \
&userid=127&User_Browser=IE
(disregard the linebreak in the previous line)

it prints out a number that keeps getting larger with
each page load (perhaps a record of infected machines?)
When i tried, it gave me #765354

(I don't know exactly what kind of connection that domain name
has in this mess, but if the domain is in the trojan,
i bet that it has *some* connection, and i'd also bet
that index.asp is collecting information about infected
computers and logging it at 2001-007.com.)

I am now contacting enom, inc, fastnet, vrinter to alert them
of what's probably going on....

Information on registrant of "2001-007.com"

Organization Name John Casey  
First Name John  
Last Name Casey  
Address 1 504 North 8th Street  
Address 2   
City Las Vegas  
StateProvince NV  
PostalCode 89123  
Country US  
Phone 702-664-3804  
Fax none  
EmailAddress bgmny@mail.com  

created-date:  2001-11-01 13:25:03.0  
nameserver:  NS1.VRINTER.NET
NS2.VRINTER.NET
 
status:  REGISTRAR-LOCK  
updated-date:  2001-11-01 13:25:06.0  
updated-by:  enom  
registrar:  enom  
created-by:  enom  
registration-expiration-date:  2002-11-01 13:25:03.0