Thread: Which Gnutella client is the best?
View Single Post
  #44 (permalink)  
Old January 4th, 2002
Unregistered
Guest
  
Posts: n/a
Angry Limewire installs Trojan!!!
Those *******s of Limewire install a Trojan in your computer!!!
Information below taken from Symantec:

Ver

W32.DlDer.Trojan
Discovered on: December 27, 2001
Last Updated on: January 2, 2002 at 12:46:44 PM PST


Printer-friendly version Tell a Friend

W32.DlDer.Trojan is a Trojan which has two components that work together: Dlder.exe (40,960 bytes) and Explorer.exe (31,232 bytes), which is downloaded by Dlder.exe.

NOTE: Definitions dated before December 29, 2001, detect this as Backdoor.Trojan.


Also Known As: Trojan.Win32.DlDer

Type: Trojan Horse

Virus Definitions: December 29, 2001

Threat Assessment:


Wild:
Low Damage:
Low Distribution:
Low



Technical description:

This Trojan is known to be installed (as part of the normal installation) by two "freeware" file-sharing programs:

Grokster, which is a file sharing system.
Limeware, which is the LimeWire Gnutella Client.

During the installation process of these programs, you are asked if you want to install the (spyware) program "Clicktilluwin." Regardless of whether you click Yes or No, the Trojan code is installed.

This Trojan has two components:
Explorer.exe, which is the main Trojan.
Dlder.exe, which is the downloader for Explorer.exe.

The Trojan creates the hidden folder \Explorer in the \Windows folder, and then downloads Explorer.exe to that folder. The Trojan also copies Dlder.exe to the \Windows folder.

NOTE: Do not confuse the Trojan, which is copied as \Windows\Explorer\Explorer.exe, with the real Windows Explorer file, which is also named Explorer.exe. The genuine file is, by default, in stored in the \Windows folder, not the \Windows\Explorer\ folder. The Trojan creates the \Explorer folder under the Windows folder, and places the Trojan there.

The Trojan also adds one of the following values:

dlder C:\windows\explorer\Explorer.exe

dlder C:\windows\dlder.exe

to the registry key

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Run

so that it runs each time that you start Windows.

The Trojan appears to be sending some information (such User-ID and IP address) to the following URL:

http:/ /www.2001-007.com


Removal instructions:

To remove this Trojan, delete files that are detected as W32.DlDer.Trojan, and remove the value that it added to the registry.

To remove the Trojan:

1. Run LiveUpdate to make sure that you have the most recent virus definitions.
2. Start Norton AntiVirus (NAV), and make sure that NAV is configured to scan all files. For instructions on how to do this, read the document How to configure Norton AntiVirus to scan all files.
3. Run a full system scan.
4. Delete all files that are detected as W32.DlDer.Trojan.

To edit the registry:

CAUTION: We strongly recommend that you back up the system registry before you make any changes. Incorrect changes to the registry could result in permanent data loss or corrupted files. Please make sure that you modify only the keys that are specified. Please see the document How to back up the Windows registry before you proceed.

1. Click Start, and click Run. The Run dialog box appears.
2. Type regedit and then click OK. The Registry Editor opens.
3. Navigate to the following key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Run

4. In the right pane, delete any of the following values that exist:

dlder C:\windows\explorer\Explorer.exe

dlder C:\windows\dlder.exe

5. Navigate to and delete the following subkey:

HKEY_LOCAL_MACHINE\Software\Games\Clicktilluwin

6. Click Registry, and then click Exit.