A trojan called dlder.exe is hidden in a mutlitude of p2p apps.

The most prominent are Kazza and Limewire, Grokster, and the new Bearshare Beta.

It is a hidden part of the ClickTiluWin adware. The people of Limewire and kazza did not even know it was a trojan.

This is a newly discovered trojan, but it has been in distribution for quite some time. Tens of thousands must have been infected.


For more information see the Bearshare forums
http://bearshare.net/forum/showthrea...&threadid=8252

Description which is somewhat incomplete:
The following was obtained from TrendMicro
W32.DlDer.Trojan

TROJ_DLDER.A
(continued from profile page)

In the wild: No
Detection available: December 27, 2001
Detected by pattern file#: 191 or 991
(note about pattern numbering)
Detected by scan engine#: 5.200
Language:
English
Platform: Windows
Encrypted: No
Size of virus: ~31,232 bytes / ~40,960 bytes

Details:
This trojan is a Visual C++ compiled program. Upon execution it drops a file named DLDER.EXE under the %windows% directory. It adds the registry entries:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run
Dlder=“%windows%\dlder.exe”
HKEY_LOCAL_MACHINE\Software\games\clicktilluwin

After modifying the registry, the trojan connects to the site www.2001-007.comand and provides the user's IP address and default browser. It then sends an incrementing integer that possibly indicates the number of infected computers.

This trojan program is also installed along with two file-sharing programs, Grokster 1.3.3 and LimeWire 2.0.2. Both programs are downloadable from the website http://www.grokster.com. Grokster is downloaded from the *US-site* as SETUP.EXE and LimeWire as LIMEWIREWIN.EXE.

Upon installation of these file-sharing programs, TROJ_DLDER.A is also installed on the computer without the user’s knowledge. Aside from the file DLDER.EXE in the %windows% folder, a hidden folder named "explorer" is also created in the %windows% folder. The hidden folder contains a file named EXPLORER.EXE. The following files are also created:

C:\Program Files\Clicktilluwin\clicktilluwin.htm
C:\Program Files\Clicktilluwin\game.ico
C:\Windows\Start Menu\Programs\Clicktilluwin\clicktilluwin.lnk
C:\Windows\Desktop\Clicktilluwin.lnk


It may also add the registry entry:

HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Windows \ CurrentVersion \ Run:
Dlder = "%windows%\explorer\explorer.exe"

Thanks!

The funny/ironical thing is, if we can rate this funny, those well known Spyware bundler did now loosing total controll over Spyware! More infected users... and hopefully more users which stop to trust in Spyware bundled software.

My conclusion/advice: Use a new virus scanner and fresh updated AdAware in regular distance. Don't trust vendor promises about Spyware or so called 'Adware', get informed. Choose 100% spyware free software.

Here is another way to deactivate the trojan, along with a description from F-Secure.com:

This two-component trojan was discovered in the end of December 2001. The trojan being installed on a user's system constantly upgrades its main component that connects to 2001-007.com website and reports user's ID, web browser a user is using and all URLs that a web browser and all its child windows open. The trojan violates user's privacy and opens a security hole in a system by downloading and activating executable files.

The main component of the trojan is Explorer.exe file that is located in Windows folder in \Explorer\ subfolder (do not mix with the original Windows' Explorer.exe). This component is constantly upgraded by the second trojan component that has the name 'DlDer.exe' and is located in Windows folder.

The DlDer.exe file is most likely dropped to user's system by ActiveX applet or Javascript code that a user doesn't notice when he is browsing Internet. The exact way how this file is dropped is not yet known. The case is under investigation.

The DlDer.exe file when it is started downloads Explorer.exe file from a website and puts it to \Windows\Explorer\ folder. Then the trojan creates a startup key for Explorer.exe file. On next System restart the Explorer.exe file is activated and it creates a startup key for DlDer.exe file and starts to connect to 2001-007.com website and report user's ID, web browser and all URLs that a user visits to there.

We recommend to delete both trojan components from an infected system. If these components can't be deleted (locked files) they should be deleted from pure DOS (in case of Windows 9x system) or renamed with different extensions (EXA for example) with immediate system restart (in case of Windows NT/2000/XP system).

Just to let people know this isn't some hoax or a falsie:

http://www.antivirus.com/vinfo/virus...e=TROJ_DLDER.A

A free online scanner able to find this trojan is also available from TrendMicro at this URL:

http://housecall.antivirus.com/

Please note that the above's virus scanner's e-mail registraion is OPTIONAL (read the instructions!)

-- Mike

yep, this message is definitely no hoax!
Here is the link to F-Secure: http://www.europe.f-secure.com/v-descs/dlder.shtml

I think I know how this trojan is spread. I don't think the trojan comes installed with P2P clients such as Grokster and LimeWire, since I have had LW 2.0.2 on one of my systems for a little while, and it was clean from this trojan.

I think that the problem starts with a flaw in the Cydoor software (providing the advertisements). Since P2P applications publish their IP address on host caches, one has easy access to all users using software with Cydoor. All you would have to figure out is exactly which client uses Cydoor.

The recent versions of LimeWire uses an "User-Agent:" field in the handshake. The "Pro" version of LimeWire even adds "Pro" to the User-Agent field. So it will be very easy to check if a client is LimeWire with or without Cydoor.

Once the mallicious user or system discovers the user uses Cydoor, the flaw in Cydoor is used to download DLDER and install it. The "Run" is probably part of Cydoor as well, to allow updating of locked files (when Cydoor is downloading an ad or update, it is most likely locking one of its own files as it is active).

The mallicious user(s) probably use DLDER instead of directly injecting a bad EXPLORER.EXE, because Cydoor itself cannot modify do this for security reasons. So the DLDER acts on behalf of Cydoor once it has accessed your system, circumventing Cydoor's security for altering system files. That probably explains why DLDER is used only once as well.

This is just a theory of how it systems might get infected, and I'll forward it to TrendMicro for them to look into.

-- Mike

It is actually in the Limewire installer.
If you start the installer a bunch of files get extracted to your temp directory. One of those files is ctywinstaller.exe, a self extracting rar file that contains the clicktilluwin files including dlder.exe and explorer.exe.

Serious? That's some nasty stuff then.

I must have had a slightly older version of LW then, because I really don't have it on my system after installing it. So it definetely is in LW 2.0.2 though. *sighs* Lovely.

So obviosly it´s from the "Clicktiluwin" thing!
Every P2P software this boy is included, the Trojan apperars!

yep, same for Bearshare AFAIK. What is the purpose of "Clicktiluwin"?