Results 1 to 4 of 4
Jan 3, 2002, 23:55 #1
- Join Date
- Feb 2001
- 0 Post(s)
- 0 Thread(s)
Music Sharing Programs Share Advertiser's 'Trojan'
Music Sharing Programs Share Advertiser's 'Trojan' Spyware
By Steven Bonisteel, Newsbytes
NEW YORK, NEW YORK, U.S.A.,
03 Jan 2002, 9:33 AM CST
"Spyware" - software that can secretly collect data about an individual's use of their PC - has been a controversial issue for companies as large as Microsoft Corp. But a mysterious outfit that may be located in Las Vegas could be the first to have its software branded as a malicious Trojan by anti-virus companies.
Many users of peer-to-peer file sharing software, including the Gnutella gateways LimeWire and BearShare and the FastTrack-based Grokster and Kazaa, are learning this week that promotional software bundled with their applications appeared to be reporting their online activities to a Web site registered to a man with a Las Vegas address.
Anti-virus firms such as Symantec and F-Secure say that software that was billed as installing desktop shortcuts for a promotion called ClickTillUWin also secretly installed a Trojan program that later downloaded and installed additional software - the actual spyware - from a remote Web server.
Some anti-virus software, such as Symantec's Norton AntiVirus were reporting labeling the ClickTillUWin software as "Backdoor.Trojan" before Dec. 29, when the security companies began updating their virus definitions to give the strange code its own moniker: DlDer.
F-Secure said that DlDer is a two-fisted Trojan that begins with the installation of the file "dlder.exe" - an installation that can occur even if the unwitting user says "No" to a prompt requesting permission to add the ClickTillUWin shortcuts.
The company said dlder.exe then downloads the file "explorer.exe" from a Web site and places it in a hidden folder under what would usually be the \Windows directory. A copy of dlder.exe is also placed in the \Windows directory.
Symantec said the rogue software then adds an entry to the Windows registry to ensure that it is started again the next time the PC is restarted.
When run, Symantec said, the software connected to a Web site at the address www.2001-007.com, which has since been shut down by the ISP.
One Grokster user who analyzed the contents of explorer.exe reported that the software appeared to be reporting the Internet protocol (IP) address of the user's computer, a user ID, and data signifying the kind of Web browser they use.
F-Secure said the software also appeared to forward to 2001-007.com all the URLs that a user visits.
LimeWire says the Trojan was found in the installer for release 2.0.2 of the free version of its software. A new beta version of the software without the promotional software was made available and a new 2.0.3 release is expected soon,
The company said the problem did not affect its LimeWire 2.0.2 Pro, which is available without advertising for a fee.
Grokster apologized to its users and offered a Trojan removal tool on its own Web site.
The Grokster team also said in a letter to users that it had no idea what was in the ClickTillUWin bundle.
"We are normally given an installer from the advertiser which we run during the installation of Grokster," the company said. "We have no access to the source code of these third-party installers and so we rely on what our advertisers say these programs do. To the best of our knowledge, this particular advertiser simply placed a link to a free online lottery on the desktop."
The company that provided the installation bundle, Israel-based Cydoor, has yet to explain the source of the Trojan.
The Internet domain 2001-007.com is registered under the name of John Casey of Las Vegas.