Page 1 of 2 12 LastLast
Results 1 to 10 of 16

Thread: KaZaA = Trojans

  1. #1
    Join Date
    Oct 2001

    KaZaA = Trojans

    Holy crap, KaZaA not only serves up spyware but trojans too.... This isnt such good news for all you KaZaA users out there.... Makes me feel happy to be using an edited version of KaZaA lit [http://www.kazaalite.com] Hah, 'F-Secure reported that the Trojan also opens a security hole on infected systems by downloading and activating executable files.' Heh, Trojans are getting smarter and smarter... If you do use KaZaA search on McAfee for the instructions on removing this nasty trojan

    Taken from here

    Users of popular file-sharing applications may unknowingly be sharing more than just their collections of audio files.

    A Trojan horse program masquerading as an advertising application was included with recent versions of programs BearShare, LimeWire, Kazaa and Grokster. The Trojan, dubbed "W32.Dlder.Trojan" by antiviral companies, is contained within an application called "ClickTillUWin" which promises users a chance to win prizes.

    According to antiviral firm F-Secure, Dlder tracks URLs that users visit and posts them to a website. F-Secure reported that the Trojan also opens a security hole on infected systems by downloading and activating executable files.

    "We were told that this installer just created the icons and shortcuts for the ClickTillUWin promotion," Greg Bildson, chief technical officer at Limewire, said in an e-mail.

    "We rely on Cydoor to deal with our ad deals and bundled software. We assumed that they did their homework on this package but that does not seem to be the case," said Bildson.

    Bob Regular, vice-president of marketing at Cydoor, an advertising company, said he would investigate the ClickTillUWin bundle.

    Regular said that Cydoor's policy is to fully inform users of the functions of any bundled software in the licensing agreements included with installation programs.

    The Trojan file Dlder is installed when users set up the file-sharing applications. After installation, the Trojan downloads a file named "Explorer.exe" from a website, 2001-007.com, and installs the program into a user's system folder.

    The two-part Trojan then creates a startup key for the Explorer.exe file. During next system restart, the Explorer.exe file is activated. From that point on, the Trojan connects to the 2001-007.com website on a regular basis and reports the user's ID and all URLs visited.

    According to the Whois domain registry records, 2001-007.com is registered to a John Casey, of Las Vegas. "Clicktilluwin.com" is registered to Preference Marketing Services, also of Las Vegas. Calls and e-mails to Preference Marketing and Casey have not been returned.

    Many users with ClickTillUWin on their PCs were alerted to Trojan activity by their antiviral application. None of the disgruntled users who posted in various file sharing application user forums recall giving their permission for the ClickTillUWin program to track them.

    Some LimeWire users said ClickTillUWin was installed even after they specified that they didn't want to install the program.

    "If something has fallen through the cracks here it will be corrected immediately," Regular said.

    Some affected users also reported that the Trojan changed their firewall settings to allow itself to access the Internet without permission.

    Other users said the Trojan gained permission to access the Internet through a firewall by requesting permission during the setup procedure for the file-sharing application.

    "When I set up LimeWire, I got several requests from my Zone Alarm firewall for permission for various bits and pieces to access the Internet," said Kevin Carmine, an investment adviser. "I assumed all these requests were legitimate installation issues, but I suspect now that the Trojan may have been in that lineup."

    LimeWire's Bildson said that he originally examined the behavior of the LimeWire installer after receiving what he considered false reports that a different spyware application had been included.

    LimeWire users who were running Ad-aware, an application that purges computers of spyware and advertising applications, claimed they had received notification that the installer contained a spyware program known as Aureate.

    Bildson said that the previous false reports caused him to hesitate when he began receiving reports of a Trojan in the same installer.

    "It is hard to monitor the behavior of bundled software over the life of that software," Bildson said. "Changes can be made on the server after the fact that allow the software to become dangerous. We are looking for safer ways to support our free software installations without the dangers that are always presented by third-party bundled software."

    LimeWire 2.0.2 for the PC is the only version of the program that includes the Trojan, and the company removed it from its site on Tuesday. The LimeWire PRO 2.0.2 version, a paid version of the application that is offered without advertising, is not affected.

    Vincent Falco, chief executive officer of Free Peers, the company that developed BearShare, said that the Trojan only appeared in non-public beta version 7 of BearShare.

    "The purpose of our beta program is not only to find defects with the application, but to find problems exactly like this ClickTillUWin Trojan," Falco said. "The users who try our beta versions are highly technical and understand that these types of problems may be encountered."

    Grokster quickly took the affected installer down as well, and has posted a small program, Trojan-remove, that deletes Dlder from users' machines.

    "We were unaware of what this program did when we added it to our installs, believing it to merely be a free lottery program which looked like it might be attractive to our users," said Henry Wilson, public relations manager for Grokster. "We did not and would not knowingly and deliberately insert a virus into our program install. As soon as we understood the nature of the problem, we removed it...."

    Version 1.3.3. of the Kazaa Media Desktop, downloaded Wednesday from Download.com using a link from the Kazaa website, still contained a copy of ClickTillUWin. Kazaa has not replied to several requests for comment.

    Trojans and spyware perform similar functions, gathering and forwarding personal information from the user's computer, but Trojans activate without a user's permission.

    Given the questions about ClickTillUWin's rather vague install routine, some antiviral companies have dubbed it a Trojan.

    Keith Little, who runs a computer repair service and technical support website, became aware of Dlder after reading forum postings at DSL Reports.com.

    "This thing is written using the methods of a Trojan," Little said. "And whoever wrote it knew exactly what he was doing."

    Little contacted Fastnet, the ISP of the 2001-007.com site on Tuesday and requested that the it be taken offline. Fastnet complied the same day.

    Despite the removal of the site, security experts advise anyone who has installed the affected file sharing applications to scan their computer for Dlder and remove it.

    Little believes that Cydoor and the file-sharing companies share responsibility for what happened.

    "There are major ethical responsibilities that go along with placing software in thousands of people's computers," Little said. "If there's a potential for intrusive or damaging inclusions, as obviously there is, then the software makers and distributors absolutely must implement checks and reviews to prevent them."

  2. #2
    Senior Member
    Join Date
    Apr 2002
    Thanks for the headup, I killed that long ago without questonning myself further since it was eradicated and I also crippled cydoor with an altered dll but feels good to know what was going on...
    [shadow]Scorp666, the Infamous Orgasmatron[/shadow]

  3. #3
    Senior Member
    Join Date
    Aug 2001
    I think those people are sick i think it's some kind of bill gates syndroom
    hip hop rules

  4. #4
    Join Date
    Mar 2002
    It's really messed up when kazza claims to be against the whole spyware thing and that they have "denounced" illegial spyware and trojan use on their servers. Lyas......

  5. #5
    Join Date
    Mar 2002
    I had to learn the hard way, I got some stupid VB script attached to a .MP3 file I downloaded and it turned out to be a virus that changed all my media files into copies of itself. I had to format my computer and I lost a ton of informaiton that I needed.

  6. #6

    Thumbs down

    Thats just evil...... Im happy I have Kazaa Lite as well.


  7. #7
    Join Date
    Sep 2001
    Well spyware is one thing cus atleast you know its there and you have the choice of un-installing it.... but come on replacing explorer.exe is NOT spyware.... i think thst illegal on its own because they dont own explorer.exe....

    Anyway that guy should definately sit in jail for a little while to think about what hes done

    Sometimes im glad i use linux and not have to worry about things like that.... although i dooooo miss my *****peer programs

  8. #8
    AO Curmudgeon rcgreen's Avatar
    Join Date
    Nov 2001

    Thumbs up

    Installing filesharing software on your computer
    is like going to an orgy without a condom.
    I came in to the world with nothing. I still have most of it.

  9. #9
    Senior Member
    Join Date
    Apr 2002
    I doubt it replaced explorer.exe

    It only put a file named explorer.exe somewhere on the hd...
    [shadow]Scorp666, the Infamous Orgasmatron[/shadow]

  10. #10
    Join Date
    Mar 2002
    Wait a minute.... Kazaa is the reason I got that explorer.exe virus?? GOD DAMN! I hate that thing. it has been annoying me for some time. Btw where can I get this kazaa lite and what does it do?

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts