Gnutella Forums  

Go Back   Gnutella Forums > Gnutella News and Gnutelliums Forums > General Gnutella / Gnutella Network Discussion
Register FAQ The Twelve Commandments Members List Calendar Arcade Find the Best VPN Today's Posts

General Gnutella / Gnutella Network Discussion For general discussion about Gnutella and the Gnutella network.
For discussion about a specific Gnutella client program, please post in one of the client forums above.


 
 
LinkBack Thread Tools Display Modes
Prev Previous Post   Next Post Next
  #1 (permalink)  
Old December 30th, 2001
Unregistered
Guest
 
Posts: n/a
Post Trojan hidden in many p2p apps

A trojan called dlder.exe is hidden in a mutlitude of p2p apps.

The most prominent are Kazza and Limewire, Grokster, and the new Bearshare Beta.

It is a hidden part of the ClickTiluWin adware. The people of Limewire and kazza did not even know it was a trojan.

This is a newly discovered trojan, but it has been in distribution for quite some time. Tens of thousands must have been infected.


For more information see the Bearshare forums
http://bearshare.net/forum/showthrea...&threadid=8252

Description which is somewhat incomplete:
The following was obtained from TrendMicro
W32.DlDer.Trojan

TROJ_DLDER.A
(continued from profile page)

In the wild: No
Detection available: December 27, 2001
Detected by pattern file#: 191 or 991
(note about pattern numbering)
Detected by scan engine#: 5.200
Language:
English
Platform: Windows
Encrypted: No
Size of virus: ~31,232 bytes / ~40,960 bytes

Details:
This trojan is a Visual C++ compiled program. Upon execution it drops a file named DLDER.EXE under the %windows% directory. It adds the registry entries:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run
Dlder=“%windows%\dlder.exe”
HKEY_LOCAL_MACHINE\Software\games\clicktilluwin

After modifying the registry, the trojan connects to the site www.2001-007.comand and provides the user's IP address and default browser. It then sends an incrementing integer that possibly indicates the number of infected computers.

This trojan program is also installed along with two file-sharing programs, Grokster 1.3.3 and LimeWire 2.0.2. Both programs are downloadable from the website http://www.grokster.com. Grokster is downloaded from the *US-site* as SETUP.EXE and LimeWire as LIMEWIREWIN.EXE.

Upon installation of these file-sharing programs, TROJ_DLDER.A is also installed on the computer without the user’s knowledge. Aside from the file DLDER.EXE in the %windows% folder, a hidden folder named "explorer" is also created in the %windows% folder. The hidden folder contains a file named EXPLORER.EXE. The following files are also created:

C:\Program Files\Clicktilluwin\clicktilluwin.htm
C:\Program Files\Clicktilluwin\game.ico
C:\Windows\Start Menu\Programs\Clicktilluwin\clicktilluwin.lnk
C:\Windows\Desktop\Clicktilluwin.lnk


It may also add the registry entry:

HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Windows \ CurrentVersion \ Run:
Dlder = "%windows%\explorer\explorer.exe"
Reply With Quote
 


Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On


Similar Threads
Thread Thread Starter Forum Replies Last Post
hidden files joh General Windows Support 1 July 1st, 2005 05:58 PM
hidden downloading? astral_man Windows 4 May 24th, 2005 03:32 PM
Hidden IP Addresses Drumwzrd Open Discussion topics 0 December 27th, 2004 07:28 PM
hidden downloads? Unregistered General Mac Support 2 December 18th, 2001 09:19 AM
Hidden Goodies... Booga Support: General 1 September 20th, 2001 08:16 PM


All times are GMT -7. The time now is 02:19 PM.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2025, vBulletin Solutions, Inc.
SEO by vBSEO 3.6.0 ©2011, Crawlability, Inc.

Copyright © 2020 Gnutella Forums.
All Rights Reserved.