Content last changed: May 11, 2002<br>
Last updated: $Date: 2006/07/08 21:46:55 $<br>
<p>

<em>Information about the possible Grokster trojan/backdoor.
<br>
I do not make any claims to the veracity of this information.
This information is only here for archival purposes.
</em>
<hr>

<h3>Relevant Links:</h3>
<ul>
<LI>(05/11/2002)  <a href="#done">The case seems closed</A><BR>
<LI>(12/27/2001 9:00 PM)  <a href="#webinfo">Information about the domain name that appears in "explorer.exe"</A><BR>
<LI>(12/27/2001 5:00 PM) <A HREF="#norton">Norton anti-virus didnt catch it at first</A><BR>
<LI>(12/27/2001 3:50 PM)  <A HREF="#vulndev">Scott's email to vuln-dev</A><BR>
<LI>(12/27/2001 3:36 PM)  <a href="#jason">Jason showing his research on 'grokster.com'</A><BR>
<LI><a href="./files.zip">Zip file of infected "explorer.exe" and "dlder.exe"</A><BR>
</ul
<p>
<hr>

<a name="done"></a>
<h3>May 11, 2002</h3>
	<B>The case seems closed</B>
	<P>

	<span class=alert>
	After a few threatening "anonymous" emails (originating
	from ISP's in canada -- *hint* *hint*, canada is where grokster.com was registered -- 
	<a href="#jason">see below email from Jason</a>), and after seeing how 
	things have gone since December 2001,
	i think that grokster (and a few other companies) have wised up and not made
	their spying so blatanly obvious (if they are even still doing 
	it at all).  So for all intents and purposes, i think it's relatively
	safe to assume that this particular backdoor/trojan has been
	removed from Grokster.
	</span>
	<P>

	But i just want to say that from the first moment i noticed the spyware/backdoor
	being installed to my computer, i have maintained that i *NEVER* agreed to have it installed
	(and actually installed grokster multiple times to verify that the
	spyware/backdoor was in fact being installed against my wishes, so
	please don't email me to say that the spyware was optional, becuase
	i checked that hypothesis)
	<P>

	But, if you're still paranoid like me, you might have extra piece of mind
	using "cleaned" file-sharing clients at:
	<a target="new" href="http://cleanclients.edot.ch/">http://cleanclients.edot.ch</a>

<P><HR>

<a name="norton"></a>
<h3>December 27, 2001</h3>
<p>

<B>Norton AntiVirus didnt seem to catch it at first</B>
<PRE>
Beware of this trojan.  I did a scan of my computer today
with Norton Anti-Virus (which was last LiveUpdated about a week ago)
and it didnt catch anything.  Then i LiveUpdated at 4pm 12/27/01 and 
did another scan - still didnt find anything.  Then, only when
i tried to add the infected "explorer.exe" to a zip file, it popped 
up a "Virus Alert" box that told me it quarantined the infected 
"Trojan Backdoor explorer.exe" file.  (It did nothing when i tried 
to add "dlder.exe" to the zip file, which worries me).

By default, the trojan "explorer.exe" is hidden, and it seems that Norton
skipped over hidden files when doing a full-system scan, so even
if you have an anti-virus program, please verify the configuration
to make sure it scans hidden files, and please also check for 
infected files and registry entries manually.

Update: (Thurs 12/27/2001 8:30 PM)

When i got home, i copied the infected "explorer.exe" file to my
harddrive and then scanned with a freshly-liveupdated Norton Internet
Security 2002, and it caught it... so i amend that previous paragraph,
norton has this virus listed as a "Trojan.Backdoor", and caught it
on my home system.
</PRE>





<p><HR>
<a name="vulndev"></a>
<h3>December 27, 2001</h3>
<p>

<B>Here's the email sent to vuln-dev@securityfocus.com</B><BR>
<pre>
To: vuln-dev@securityfocus.com
From: <br />
<b>Fatal error</b>:  Call to a member function email() on a non-object in <b>/home/shurring/hurring/archive/grokster/index.php</b> on line <b>100</b><br />