Gnutella Forums  

Go Back   Gnutella Forums > Gnutella News and Gnutelliums Forums > General Gnutella / Gnutella Network Discussion
Register FAQ The Twelve Commandments Members List Calendar Arcade Find the Best VPN Search Today's Posts Mark Forums Read

General Gnutella / Gnutella Network Discussion For general discussion about Gnutella and the Gnutella network.
For discussion about a specific Gnutella client program, please post in one of the client forums above.


Welcome To Gnutella Forums

You are currently viewing our boards as a guest which gives you limited access to view most discussions and access our other features. By joining our free community you will have access to post topics, communicate privately with other members (PM), respond to polls, upload content, fun aspects such as the image caption contest and play in the arcade, and access many other special features after your registration and email confirmation. Registration is fast, simple and absolutely free so please, join our community today! (click here) (Note: we use Yandex mail server so make sure yandex is not on your email filter or blocklist.)

If you have any problems with the Gnutella Forum registration process or your Gnutella Forum account login, please contact us (this is not for program use questions.) Your email address must be legitimate and verified before becoming a full member of the forums. Please be sure to disable any spam filters you may have for our website, so that email messages can reach you.
Note: Any other issue with registration, etc., send a Personal Message (PM) to one of the active Administrators: Lord of the Rings or Birdy.

Once registered but before posting, members MUST READ the FORUM RULES (click here) and members should include System details - help us to help you (click on blue link) in their posts if their problem relates to using the program. Whilst forum helpers are happy to help where they can, without these system details your post might be ignored. And wise to read How to create a New Thread

Thank you

If you are a Spammer click here.
This is not a business advertising forum, all member profiles with business advertising will be banned, all their posts removed. Spamming is illegal in many countries of the world. Guests and search engines cannot view member profiles.



           Deutsch?              Español?                  Français?                   Nederlands?
   Hilfe in Deutsch,   Ayuda en español,   Aide en français et LimeWire en françaisHulp in het Nederlands

Forum Rules

Support Forums

Before you post to one of the specific Client Help and Support Conferences in Gnutella Client Forums please look through other threads and Stickies that may answer your questions. Most problems are not new. The Search function is most useful. Also the red Stickies have answers to the most commonly asked questions. (over 90 percent).
If your problem is not resolved by a search of the forums, please take the next step and post in the appropriate forum. There are many members who will be glad to help.
If you are new to the world of file sharing please do not be shy! Everyone was ‘new’ when they first started.

When posting, please include details for:
Your Operating System ....... Your version of your Gnutella Client (* this is important for helping solve problems) ....... Your Internet connection (56K, Cable, DSL) ....... The exact error message, if one pops up
Any other relevant information that you think may help ....... Try to make your post descriptive, specific, and clear so members can quickly and efficiently help you. To aid helpers in solving download/upload problems, LimeWire and Frostwire users must specify whether they are downloading a torrent file or a file from the Gnutella network.
Members need to supply these details >>> System details - help us to help you (click on blue link)


Moderators

There are senior members on the forums who serve as Moderators. These volunteers keep the board organized and moving.
Moderators are authorized to: (in order of increasing severity)
Move posts to the correct forums. Many times, members post in the wrong forum. These off-topic posts may impede the normal operation of the forum.
Edit posts. Moderators will edit posts that are offensive or break any of the House Rules.
Delete posts. Posts that cannot be edited to comply with the House Rules will be deleted.
Restrict members. This is one of the last punishments before a member is banned. Restrictions may include placing all new posts in a moderation queue or temporarily banning the offender.
Ban members. The most severe punishment. Three or more moderators or administrators must agree to the ban for this action to occur. Banning is reserved for very severe offenses and members who, after many warnings, fail to comply with the House Rules. Banning is permanent. Bans cannot be removed by the moderators and probably won't be removed by the administration.


The Rules

1. Warez, copyright violation, or any other illegal activity may NOT be linked or expressed in any form. Topics discussing techniques for violating these laws and messages containing locations of web sites or other servers hosting illegal content will be silently removed. Multiple offenses will result in consequences. File names are not required to discuss your issues. If filenames are copyright then do not belong on these forums & will be edited out or post removed. Picture sample attachments in posts must not include copyright infringement.

2. Spamming and excessive advertising will not be tolerated. Commercial advertising is not allowed in any form, including using in signatures.

3. There will be no excessive use of profanity in any forum.

4. There will be no racial, ethnic, or gender based insults, or any other personal attacks.

5. Pictures may be attached to posts and signatures if they are not sexually explicit or offensive. Picture sample attachments in posts must not include copyright infringement.

6. Remember to post in the correct forum. Take your time to look at other threads and see where your post will go. If your post is placed in the wrong forum it will be moved by a moderator. There are specific Gnutella Client sections for LimeWire, Phex, FrostWire, BearShare, Gnucleus, Morpheus, and many more. Please choose the correct section for your problem.

7. If you see a post in the wrong forum or in violation of the House Rules, please contact a moderator via Private Message or the "Report this post to a moderator" link at the bottom of every post. Please do not respond directly to the member - a moderator will do what is required.

8. Any impersonation of a forum member in any mode of communication is strictly prohibited and will result in banning.

9. Multiple copies of the same post will not be tolerated. Post your question, comment, or complaint only once. There is no need to express yourself more than once. Duplicate posts will be deleted with little or no warning. Keep in mind a forum censor may temporarily automatically hold up your post, if you do not see your post, do not post again, it will be dealt with by a moderator within a reasonable time. Authors of multiple copies of same post may be dealt with by moderators within their discrete judgment at the time which may result in warning or infraction points, depending on severity as adjudged by the moderators online.

10. Posts should have descriptive topics. Vague titles such as "Help!", "Why?", and the like may not get enough attention to the contents.

11. Do not divulge anyone's personal information in the forum, not even your own. This includes e-mail addresses, IP addresses, age, house address, and any other distinguishing information. Don´t use eMail addresses in your nick. Reiterating, do not post your email address in posts. This is for your own protection.

12. Signatures may be used as long as they are not offensive or sexually explicit or used for commercial advertising. Commercial weblinks cannot be used under any circumstances and will result in an immediate ban.

13. Dual accounts are not allowed. Cannot explain this more simply. Attempts to set up dual accounts will most likely result in a banning of all forum accounts.

14. Video links may only be posted after you have a tally of two forum posts. Video link posting with less than a 2 post tally are considered as spam. Video link posting with less than a 2 post tally are considered as spam.

15. Failure to show that you have read the forum rules may result in forum rules breach infraction points or warnings awarded against you which may later total up to an automatic temporary or permanent ban. Supplying system details is a prerequisite in most cases, particularly with connection or installation issues.

Violation of any of these rules will bring consequences, determined on a case-by-case basis.


Thank You! Thanks for taking the time to read these forum guidelines. We hope your visit is helpful and mutually beneficial to the entire community.


Reply
 
LinkBack Thread Tools Display Modes
  #1 (permalink)  
Old December 30th, 2001
Unregistered
Guest
 
Posts: n/a
Post Trojan hidden in many p2p apps

A trojan called dlder.exe is hidden in a mutlitude of p2p apps.

The most prominent are Kazza and Limewire, Grokster, and the new Bearshare Beta.

It is a hidden part of the ClickTiluWin adware. The people of Limewire and kazza did not even know it was a trojan.

This is a newly discovered trojan, but it has been in distribution for quite some time. Tens of thousands must have been infected.


For more information see the Bearshare forums
http://bearshare.net/forum/showthrea...&threadid=8252

Description which is somewhat incomplete:
The following was obtained from TrendMicro
W32.DlDer.Trojan

TROJ_DLDER.A
(continued from profile page)

In the wild: No
Detection available: December 27, 2001
Detected by pattern file#: 191 or 991
(note about pattern numbering)
Detected by scan engine#: 5.200
Language:
English
Platform: Windows
Encrypted: No
Size of virus: ~31,232 bytes / ~40,960 bytes

Details:
This trojan is a Visual C++ compiled program. Upon execution it drops a file named DLDER.EXE under the %windows% directory. It adds the registry entries:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run
Dlder=“%windows%\dlder.exe”
HKEY_LOCAL_MACHINE\Software\games\clicktilluwin

After modifying the registry, the trojan connects to the site www.2001-007.comand and provides the user's IP address and default browser. It then sends an incrementing integer that possibly indicates the number of infected computers.

This trojan program is also installed along with two file-sharing programs, Grokster 1.3.3 and LimeWire 2.0.2. Both programs are downloadable from the website http://www.grokster.com. Grokster is downloaded from the *US-site* as SETUP.EXE and LimeWire as LIMEWIREWIN.EXE.

Upon installation of these file-sharing programs, TROJ_DLDER.A is also installed on the computer without the user’s knowledge. Aside from the file DLDER.EXE in the %windows% folder, a hidden folder named "explorer" is also created in the %windows% folder. The hidden folder contains a file named EXPLORER.EXE. The following files are also created:

C:\Program Files\Clicktilluwin\clicktilluwin.htm
C:\Program Files\Clicktilluwin\game.ico
C:\Windows\Start Menu\Programs\Clicktilluwin\clicktilluwin.lnk
C:\Windows\Desktop\Clicktilluwin.lnk


It may also add the registry entry:

HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Windows \ CurrentVersion \ Run:
Dlder = "%windows%\explorer\explorer.exe"
Reply With Quote
  #2 (permalink)  
Old December 30th, 2001
Moak's Avatar
Guest
 
Join Date: September 7th, 2001
Location: Europe
Posts: 816
Moak is flying high
Default

Thanks!

The funny/ironical thing is, if we can rate this funny, those well known Spyware bundler did now loosing total controll over Spyware! More infected users... and hopefully more users which stop to trust in Spyware bundled software.

My conclusion/advice: Use a new virus scanner and fresh updated AdAware in regular distance. Don't trust vendor promises about Spyware or so called 'Adware', get informed. Choose 100% spyware free software.
Reply With Quote
  #3 (permalink)  
Old December 30th, 2001
Unregistered
Guest
 
Posts: n/a
Default

Quote:
Originally posted by Moak
My conclusion/advice: Use a new virus scanner and fresh updated AdAware in regular distance.
Here is another way to deactivate the trojan, along with a description from F-Secure.com:

This two-component trojan was discovered in the end of December 2001. The trojan being installed on a user's system constantly upgrades its main component that connects to 2001-007.com website and reports user's ID, web browser a user is using and all URLs that a web browser and all its child windows open. The trojan violates user's privacy and opens a security hole in a system by downloading and activating executable files.

The main component of the trojan is Explorer.exe file that is located in Windows folder in \Explorer\ subfolder (do not mix with the original Windows' Explorer.exe). This component is constantly upgraded by the second trojan component that has the name 'DlDer.exe' and is located in Windows folder.

The DlDer.exe file is most likely dropped to user's system by ActiveX applet or Javascript code that a user doesn't notice when he is browsing Internet. The exact way how this file is dropped is not yet known. The case is under investigation.

The DlDer.exe file when it is started downloads Explorer.exe file from a website and puts it to \Windows\Explorer\ folder. Then the trojan creates a startup key for Explorer.exe file. On next System restart the Explorer.exe file is activated and it creates a startup key for DlDer.exe file and starts to connect to 2001-007.com website and report user's ID, web browser and all URLs that a user visits to there.

We recommend to delete both trojan components from an infected system. If these components can't be deleted (locked files) they should be deleted from pure DOS (in case of Windows 9x system) or renamed with different extensions (EXA for example) with immediate system restart (in case of Windows NT/2000/XP system).
Reply With Quote
  #4 (permalink)  
Old December 31st, 2001
Connoisseur
 
Join Date: August 9th, 2001
Location: Philadelphia, PA, USA
Posts: 358
cultiv8r is flying high
Default

Just to let people know this isn't some hoax or a falsie:

http://www.antivirus.com/vinfo/virus...e=TROJ_DLDER.A

A free online scanner able to find this trojan is also available from TrendMicro at this URL:

http://housecall.antivirus.com/

Please note that the above's virus scanner's e-mail registraion is OPTIONAL (read the instructions!)

-- Mike
Reply With Quote
  #5 (permalink)  
Old December 31st, 2001
Moak's Avatar
Guest
 
Join Date: September 7th, 2001
Location: Europe
Posts: 816
Moak is flying high
Default

yep, this message is definitely no hoax!
Here is the link to F-Secure: http://www.europe.f-secure.com/v-descs/dlder.shtml
Reply With Quote
  #6 (permalink)  
Old December 31st, 2001
Connoisseur
 
Join Date: August 9th, 2001
Location: Philadelphia, PA, USA
Posts: 358
cultiv8r is flying high
Exclamation How it could be done...

I think I know how this trojan is spread. I don't think the trojan comes installed with P2P clients such as Grokster and LimeWire, since I have had LW 2.0.2 on one of my systems for a little while, and it was clean from this trojan.

I think that the problem starts with a flaw in the Cydoor software (providing the advertisements). Since P2P applications publish their IP address on host caches, one has easy access to all users using software with Cydoor. All you would have to figure out is exactly which client uses Cydoor.

The recent versions of LimeWire uses an "User-Agent:" field in the handshake. The "Pro" version of LimeWire even adds "Pro" to the User-Agent field. So it will be very easy to check if a client is LimeWire with or without Cydoor.

Once the mallicious user or system discovers the user uses Cydoor, the flaw in Cydoor is used to download DLDER and install it. The "Run" is probably part of Cydoor as well, to allow updating of locked files (when Cydoor is downloading an ad or update, it is most likely locking one of its own files as it is active).

The mallicious user(s) probably use DLDER instead of directly injecting a bad EXPLORER.EXE, because Cydoor itself cannot modify do this for security reasons. So the DLDER acts on behalf of Cydoor once it has accessed your system, circumventing Cydoor's security for altering system files. That probably explains why DLDER is used only once as well.

This is just a theory of how it systems might get infected, and I'll forward it to TrendMicro for them to look into.

-- Mike
Reply With Quote
  #7 (permalink)  
Old December 31st, 2001
Novicius
 
Join Date: December 31st, 2001
Posts: 2
ragger is flying high
Default

It is actually in the Limewire installer.
If you start the installer a bunch of files get extracted to your temp directory. One of those files is ctywinstaller.exe, a self extracting rar file that contains the clicktilluwin files including dlder.exe and explorer.exe.
Reply With Quote
  #8 (permalink)  
Old December 31st, 2001
Connoisseur
 
Join Date: August 9th, 2001
Location: Philadelphia, PA, USA
Posts: 358
cultiv8r is flying high
Default

Serious? That's some nasty stuff then.

I must have had a slightly older version of LW then, because I really don't have it on my system after installing it. So it definetely is in LW 2.0.2 though. *sighs* Lovely.
Reply With Quote
  #9 (permalink)  
Old December 31st, 2001
Pallando's Avatar
Illuminator
 
Join Date: October 14th, 2001
Location: Germany
Posts: 47
Pallando is flying high
Default ctyw

So obviosly it´s from the "Clicktiluwin" thing!
Every P2P software this boy is included, the Trojan apperars!
Reply With Quote
  #10 (permalink)  
Old December 31st, 2001
Moak's Avatar
Guest
 
Join Date: September 7th, 2001
Location: Europe
Posts: 816
Moak is flying high
Default

yep, same for Bearshare AFAIK. What is the purpose of "Clicktiluwin"?
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On


Similar Threads
Thread Thread Starter Forum Replies Last Post
hidden files joh General Windows Support 1 July 1st, 2005 05:58 PM
hidden downloading? astral_man Windows 4 May 24th, 2005 03:32 PM
Hidden IP Addresses Drumwzrd Open Discussion topics 0 December 27th, 2004 07:28 PM
hidden downloads? Unregistered General Mac Support 2 December 18th, 2001 09:19 AM
Hidden Goodies... Booga Support: General 1 September 20th, 2001 08:16 PM


All times are GMT -7. The time now is 06:30 AM.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2024, vBulletin Solutions, Inc.
SEO by vBSEO 3.6.0 ©2011, Crawlability, Inc.

Copyright © 2020 Gnutella Forums.
All Rights Reserved.