|   p2p Trojan info 
  A trojan called dlder.exe is hidden in a mutlitude of p2p apps. 
 The most prominent are Kazza and Limewire, Grokster, and the new Bearshare Beta.
 
 It is a hidden part of the ClickTiluWin adware. The people of Limewire and kazza and Bearshare did not even know it was a trojan.
 
 This is a newly discovered trojan, but it has been in distribution for quite some time. Tens of thousands must have been infected.
 
 
 For more information see the Bearshare forums
 
 
 Description which is somewhat incomplete:
 The following was obtained from TrendMicro
 W32.DlDer.Trojan
 
 TROJ_DLDER.A
 (continued from profile page)
 
 In the wild: No
 Detection available: December 27, 2001
 Detected by pattern file#: 191 or 991
 (note about pattern numbering)
 Detected by scan engine#: 5.200
 Language:
 English
 Platform: Windows
 Encrypted: No
 Size of virus: ~31,232 bytes / ~40,960 bytes
 
 Details:
 This trojan is a Visual C++ compiled program. Upon execution it drops a file named DLDER.EXE under the %windows% directory. It adds the registry entries:
 
 HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
 CurrentVersion\Run
 Dlder=“%windows%\dlder.exe”
 HKEY_LOCAL_MACHINE\Software\games\clicktilluwin
 
 After modifying the registry, the trojan connects to the site  and provides the user's IP address and default browser. It then sends an incrementing integer that possibly indicates the number of infected computers.
 
 This trojan program is also installed along with two file-sharing programs, Grokster 1.3.3 and LimeWire 2.0.2. Both programs are downloadable from the website  Grokster is downloaded from the *US-site* as SETUP.EXE and LimeWire as LIMEWIREWIN.EXE.
 
 Upon installation of these file-sharing programs, TROJ_DLDER.A is also installed on the computer without the user’s knowledge. Aside from the file DLDER.EXE in the %windows% folder, a hidden folder named "explorer" is also created in the %windows% folder. The hidden folder contains a file named EXPLORER.EXE. The following files are also created:
 
 C:\Program Files\Clicktilluwin\clicktilluwin.htm
 C:\Program Files\Clicktilluwin\game.ico
 C:\Windows\Start Menu\Programs\Clicktilluwin\clicktilluwin.lnk
 C:\Windows\Desktop\Clicktilluwin.lnk
 
 
 It may also add the registry entry:
 
 HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Windows \ CurrentVersion \ Run:
 Dlder = "%windows%\explorer\explorer.exe"
   Last edited by 6_pac; January 31st, 2008 at 11:37 PM.
 |