I think I know how this trojan is spread. I don't think the trojan comes installed with P2P clients such as Grokster and LimeWire, since I have had LW 2.0.2 on one of my systems for a little while, and it was clean from this trojan.

I think that the problem starts with a flaw in the Cydoor software (providing the advertisements). Since P2P applications publish their IP address on host caches, one has easy access to all users using software with Cydoor. All you would have to figure out is exactly which client uses Cydoor.

The recent versions of LimeWire uses an "User-Agent:" field in the handshake. The "Pro" version of LimeWire even adds "Pro" to the User-Agent field. So it will be very easy to check if a client is LimeWire with or without Cydoor.

Once the mallicious user or system discovers the user uses Cydoor, the flaw in Cydoor is used to download DLDER and install it. The "Run" is probably part of Cydoor as well, to allow updating of locked files (when Cydoor is downloading an ad or update, it is most likely locking one of its own files as it is active).

The mallicious user(s) probably use DLDER instead of directly injecting a bad EXPLORER.EXE, because Cydoor itself cannot modify do this for security reasons. So the DLDER acts on behalf of Cydoor once it has accessed your system, circumventing Cydoor's security for altering system files. That probably explains why DLDER is used only once as well.

This is just a theory of how it systems might get infected, and I'll forward it to TrendMicro for them to look into.

-- Mike