Interesting reading regarding Limewire and similar programs...
Steve Sprague
1
http://securityresponse.symantec.com/avcenter/venc/data/w32.dlder.trojan.html
Anyone have any additional information?
--
Steve Sprague, MCP
eAegis - Security Through Information http://www.stormpages.com/eaegis
alt.comp.anti-virus Charter - http://www.stormpages.com/eaegis/antivirus.htm
Sugien
"Steve Sprague" <eae...@yahoo.com> wrote in message
news:a10d6s$ne0ls$1...@ID-92636.news.dfncis.de...
>
http://forums.anandtech.com/messageview.cfm?catid=33&threadid=668900&STARTPA
GE=
> 1
>
>
http://securityresponse.symantec.com/avcenter/venc/data/w32.dlder.trojan.htm
l
>
> Anyone have any additional information?
>
> --
> Steve Sprague, MCP
> eAegis - Security Through Information http://www.stormpages.com/eaegis
> alt.comp.anti-virus Charter -
http://www.stormpages.com/eaegis/antivirus.htm
>
>
>
Hmmmm, loaded question; because should I choose to give the information out
more then likely I will after giving the asked for info, then be called on
to the carpet and flamed for posting information about virus/malware, I
think I will just sit on my info, well that is if I have any, not saying I
do.
Ron & Ree
Gnutella client.
http://www.gnotella.com/
Auk
wrote:
>http://forums.anandtech.com/messageview.cfm?catid=33&threadid=668900&STARTPAGE=
>http://securityresponse.symantec.com/avcenter/venc/data/w32.dlder.trojan.html
>Anyone have any additional information?
Yes :
http://www.wired.com/news/privacy/0,1848,49430,00.html
Auk
Sugien
"Auk" <au...@mail.com> wrote in message
news:3c34cab7...@newszilla.xs4all.nl...
If you want to use the software but without it reporting home:
Run Optout or another spyware catcher as you would normally use. When it has
found one or more of the dll’s responsible for reporting back to the master,
just hang on before you command it to delete the files!
Many times your favorite programs will refuse to run after they have the
spyware DLL files removed. In fact, I don’t really know of any that will
run. If you have become accustomed to using Cuteftp or GoZilla, and you want
to make a statement, just disable the files they planted in your system! I
will outline the procedure for you below:
Lets attack the Spyware companies first!
We will be using a little helper program included in each version of
windows. Operating systems. It allows you to see all your active connections
to other computers or servers. It’s called Netstat and is primarily a
network tool for system administrators but we will use it to see who is
trying to make a connection with our machine. We want to pay attention to
the machine names, domain names, and port numbers. You can use other port
monitor software to do the same thing as I am about to do, but you don’t
have to bother buying or downloading something that will do what Netstat
does easily and for free.
Step 1
Bring up a DOS window by clicking on your “Start” button and selecting the
“MS-DOS Prompt” When you have the little blinking command line “c:\windows”
type: netstat .
When it first launches after connecting to the internet and opening a
program or two, you can enter the command again or press the “F3” key to get
an up-to-date reading of current connections on your machine along with
their identity and port numbers.
Press the f3 key and enter to refresh your screen every so often. While you
are going through your normal activities. Keep checking your connections
until you get familiar with it.
Step 2
You can have Netstat create a statistics log in your windows directory to
record activity. Netstat will do this automatically after you give it the
correct commands. Here is what to do.
At the command prompt. Type in ; netstat >> stat.log
A file named “stat.log will be created and whatever is on the screen for
connections at that moment will be recorded in the stat file. You can keep a
running tab on what is going on so that later you can have a look for
addresses and connections you will want to block out.
You will be surprised at the connections that are taking place between your
machine and others. You can directly read out the ports and absolute top
level names for each connection including the calls to spyware master
servers and all ads that are requested from remote servers outside of the
domain you requested. These remote connections are the ad banners calling up
your IP and directing your server to go through them when loading up banners
or sending out information about your latest viewing habits.
You’ll see what happens after a little time spent playing around with
Netstat. Do what you want on the net while keeping the Netstat program
running in the background. Press F3 and then command it to update another
entry in the stat log every so often.
Here is where it will get interesting
Step 3
Get your spyware carrier like Cuteftp or Gozilla ready.
Run Netstat and look at your active connections. Then open your Spyware
software. You don’t need to run the program or anything, just as long as it
is opened and you are on the Internet! Now run Netstat again. Look for a new
active connection or two or three. There are a few possibilities so you
might want to open and close your spyware carrying software several times,
while running Netstat after each process.
The connections that you will be looking for, will be indicated by the port
number 1975. An unusual port number. Most sites will return a number of “80”
, (ftp, and telnet connections will say ftp, and telnet on the line).
Here is an example of what you may see;
aim3.adsoftware.com aim4.adsoftware.com aim5.adsoftware.com
Now you are ready to put an end to the communication between your machine
and theirs. This part is surprisingly simple. Search your machine for
winsock. It is most likely in your Win directory.
Step 4
Create a text file called Hosts with no extension on it. This file will act
as a mini default Name Server for winsock. winsock is set up ib such a way
that it will only go to your real name server if it can't find what it is
looking for listed in the host file. If you were to create a host file and
add:
127.0.0.1 aim1.adsoftware.com
127.0.0.1 aim2.adsoftware.com
127.0.0.1 aim3.adsoftware.com
127.0.0.1 aim4.adsoftware.com
127.0.0.1 aim5.adsoftware.com
Save the file called “Hosts”, with the data just entered, into the same
directory as your winsock. In this example, Aureate Media doesn’t it’s
little spyware beacon turned on so you'll get no ads from them. They don't
even know you’re online!
The information or hosts list you entered will tell your machine to loop the
call for their machine back onto your machine. HaHa. We have cut advertising
for all applications using the Aureate Media plug in (advert.dll). We have
also stopped the application from communicating at all because it is not
turned on! We can do the same thing for advertising banners owned by the big
linking and data mining companies.
All we have to do is to enter their Ip address or domain names for the
various servers they use and we have effectively blocked out any advertising
or tracking coming from them. And, as a super bonus, we have increased our
Internet cruising speed because we didn’t have to slow down the page asking
for banners or sending our personal data to them.
This is a great thing about using reversing techniques to our advantage.
Notes;
You will have to check with your local or country laws to decide whether it
is illegal to disable these spyware dll’s. I have heard that certain parts
of the US were not allowed to stop them from gathering this information and
no doubt when this technique becomes popular and everybody knows how to do
it, the lazy buggers running these data collection companies will try to
outlaw this procedure. Just hang in because there are lots of ways to skin a
cat! We are reversers!
For now, you can run the software without having to crack it. The spyware
removers can get rid of the offending dll files they use to tack us, but
presently, most programs will not run without them. Remove the file and lose
the program.
Now you know how to Reverse the file and you can still run the software!
--
/}
@###{ ]::::::Dino-Soft Software::::::>
\}
https://www.paypal.com/refer/pal=dinosoft%40adelphia.net
Click on the above for the fastest & safest way to send money
Auk
wrote:
>"Auk" <au...@mail.com> wrote in message
>news:3c34cab7...@newszilla.xs4all.nl...
>> http://www.wired.com/news/privacy/0,1848,49430,00.html
>If you want to use the software but without it reporting home:
>Run Optout or another spyware catcher as you would normally use.
If you mean Optout from Gibson Research :
"All copies of our OptOpt program have now expired and OptOut is not
being renewed"
You can try Ad-aware (www.lavasoft.de) but it does not yet detect all
spyware-components that are included in Limewire.
>Many times your favorite programs will refuse to run after they have the
>spyware DLL files removed. In fact, I don’t really know of any that will
>run.
Limewire will run without the spyware. On their website they say they
have removed the DLDER trojan - the latest version 2.04 should be
trojan-free. It does however contain other spyware (including some
stuff that does pretty much the same as the trojan, but at least
you're warned for that when you install Limewire - read the agreement
!) . You can choose not to install these components (Offercompanion,
Gator and Toptext). It will than still install Cydoor spyware, but
afaik you can uninstall that.
Auk
A Fake Name
installed even if you clicked on "No" to the installation question.
Jim Box
"Sugien" <dino...@adelphia.net> wrote in message
news:FX3Z7.4196$sK3.4...@news2.news.adelphia.net...
Hi there, I use Gozilla 3.9 all the time and after removing the offending
spyware using Ad-aware 5.62 from lavasoft.com Gozilla works just fine!, The
Zipzilla module won't though without the spyware as you suggested above, so
I just disabled it and use Winzip instead.
Thanks for the Netstat info, any idea how to stop the Ads coming through in
Morpheus? www.musiccity.com, its almost identical to Kazaa but has no
spyware just the infuriating ads, Some are being blocked by ZoneAlarm plus
using a Pop-up stopper, but others come through (Matchmaking Ad) and
sometimes on closing the window, I get an Iexplore has caused a GPF in
module (unknown) and I have to reboot! Pain in the a**e!
Help if possible please
Jim
remove NOSPAM to reply
---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.313 / Virus Database: 174 - Release Date: 02/01/02
Auk
<afak...@afakename.net> wrote:
>The biggest problem with ClickTillUWin was that the trojan was getting
>installed even if you clicked on "No" to the installation question.
I was talking about the other spyware. You get a screen that asks if
you want to install Gator software, and if you accept the agreement to
install Toptext....
Concerning win32.dlder - it gets installed, no questions asked (when
you install Limewire).
Auk
taharka
"Sugien" <dino...@adelphia.net> wrote in message
news:FX3Z7.4196$sK3.4...@news2.news.adelphia.net...
>
The command "netstat -an" without the quotes, yields more detailed results.
Chaos
"Sugien" <dino...@adelphia.net> wrote in message
news:FX3Z7.4196$sK3.4...@news2.news.adelphia.net...
>
> If you want to use the software but without it reporting home:
>
> Run Optout or another spyware catcher as you would normally use. When it
has
> found one or more of the dll’s responsible for reporting back to the
master,
> just hang on before you command it to delete the files!
>
> Many times your favorite programs will refuse to run after they have the
> spyware DLL files removed. In fact, I don’t really know of any that will
> run. If you have become accustomed to using Cuteftp or GoZilla, and you
want
> to make a statement, just disable the files they planted in your system! I
> will outline the procedure for you below:
>
> Lets attack the Spyware companies first!
> Now you know how to Reverse the file and you can still run the software!
>
Thank you very much for that very useful bit of info. I'll be putting that
into effect here tonight. ;-
From a newly converted fellow.. reverser!
---
Outgoing mail is certified Virus Free. Please remove 'VIRUS' to reply.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.313 / Virus Database: 174 - Release Date: 1/2/02
Sugien
"Chaos" <serg...@VIRUS-pacbell.net> wrote in message
news:ow9_7.26135$y14.2185256194@newssvr14.news.prodigy.com...
Thank you, I see some liked it even if some others considered it to long to
post here