p2p Trojan info
 

A trojan called dlder.exe is hidden in a mutlitude of p2p apps.

The most prominent are Kazza and Limewire, Grokster, and the new Bearshare Beta.

It is a hidden part of the ClickTiluWin adware. The people of Limewire and kazza and Bearshare did not even know it was a trojan.

This is a newly discovered trojan, but it has been in distribution for quite some time. Tens of thousands must have been infected.


For more information see the Bearshare forums


Description which is somewhat incomplete:
The following was obtained from TrendMicro
W32.DlDer.Trojan

TROJ_DLDER.A
(continued from profile page)

In the wild: No
Detection available: December 27, 2001
Detected by pattern file#: 191 or 991
(note about pattern numbering)
Detected by scan engine#: 5.200
Language:
English
Platform: Windows
Encrypted: No
Size of virus: ~31,232 bytes / ~40,960 bytes

Details:
This trojan is a Visual C++ compiled program. Upon execution it drops a file named DLDER.EXE under the %windows% directory. It adds the registry entries:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run
Dlder=“%windows%\dlder.exe”
HKEY_LOCAL_MACHINE\Software\games\clicktilluwin

After modifying the registry, the trojan connects to the site and provides the user's IP address and default browser. It then sends an incrementing integer that possibly indicates the number of infected computers.

This trojan program is also installed along with two file-sharing programs, Grokster 1.3.3 and LimeWire 2.0.2. Both programs are downloadable from the website Grokster is downloaded from the *US-site* as SETUP.EXE and LimeWire as LIMEWIREWIN.EXE.

Upon installation of these file-sharing programs, TROJ_DLDER.A is also installed on the computer without the user’s knowledge. Aside from the file DLDER.EXE in the %windows% folder, a hidden folder named "explorer" is also created in the %windows% folder. The hidden folder contains a file named EXPLORER.EXE. The following files are also created:

C:\Program Files\Clicktilluwin\clicktilluwin.htm
C:\Program Files\Clicktilluwin\game.ico
C:\Windows\Start Menu\Programs\Clicktilluwin\clicktilluwin.lnk
C:\Windows\Desktop\Clicktilluwin.lnk


It may also add the registry entry:

HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Windows \ CurrentVersion \ Run:
Dlder = "%windows%\explorer\explorer.exe"

If the downloads from LimeWire.com do not contain this trojan then you need to stop spreading this false information. You should always download from the companies own location for any product you may want. Third-party downloads may result in each things being added than otherwise would not be. But since I run FreeBSD http://www.freebsd.org , I dont have to worry about spayware or any kind of stupid Windows non-sense like this. :]

the trojan is bundled with the installer

no seperate download required

Then download the "Other" package from http://www.limewire.com/index.jsp/download_other , its a zip.

Symantec just identified this trojan on my computer and I downloaded LW 2 from Limewire.com. Yet another reason to stop using Limewire.

Virus is in the limewire download
 

I just downloaded from limewire directly as well, and Norton popped right up..

w32.DlDer.Trojan,

altho it was in the Ctywinstaller.exe file

temp/RarSFX/dlder.exe

yet another reason? it wasnt just limewire... :( i thought it was just bearshare, but after reading this, it is the ad-ware people.. burn them at the key board!!
Becker

I recomend getting ad-aware.
Ad-Aware @ Lavasoft - The Original Anti-Spyware Company - Lavasoft (both in english and totally free)

Ad-aware is a program that detects spyware on your computer. I keep it on my desktop and scan my PC whenever I download anything from the Internet. I feel bad for those unsuspecting people that are not aware of the spyware secretly being installed. Kind of like Cowards hiding and blending in amoungst us... remind you of anyone?

Adaware not aware of this new ad Trojan.
 

The trojan in:

- Bearshare 2.4.0 Beta 7
- LimeWire 2.02
- Kazaa (unspecified versions)
- Grokster 1.33
- Net2Phone (unspecified versions)

will eventually start popping up adverts in IE (even when not online).

Ad aware - when I last checked - does not remove this. Nor will Norton.

If you've not installed LimeWire 2 - then do not install it. This needs to be sorted first.

I'm ditching LimeWire now.... I can't put up with all the new junk they (LW or advertising partners) are sneaking into the software.

They know I assure you
 

I have written the people from Limewire several times about spyware they have embedded in the software. They use Gator for one, but the latest is this clicktiluwin crap which happened on or about 12/27. They know full well what's going on. Their attitude is that they need to sell advertising to keep the whole thing going. My attitude is, I'd rather pay than put up with this crap. They have more up their sleves I promise you.

Greg

Clean LW?
 

Who would be up for supporting a clean version of LW?
Contact me if you would like to be part of a project whose goal would be to produce an ad-free, spyware-free LimeWire.

:-)
Greetings,

How not to endear your supporters.
 

Norton found the trojan on my system and I downloaded v.2 directly from this site. I uninstalled it about 30 minutes later when I realized what a piece of crap it was but uninstalling Limewire didn't get rid of the trojan. BTW Ad-aware does not find this and Norton only found it during a full system scan not during the install.

Here is the link to SARC's page on this issue.

http://securityresponse.symantec.com...er.trojan.html

Note to Limewire developers, pull your heads out of your collective asses and get this crap out of your software. Nobody wants it and it only fosters acrimony toward your products.

WHY WHY WHY
You had a good product, now it's a pile of S##t.
REAL SMART
Good luck in the unemployment line.

Anyone ready for an alternative?

Here's a beta site:


This link will be removed shortly, so download it while you can.

:-)

Also

We have to fight back against this crap,
they don't care if 20 % of people are
annoyed about this trojan, as long as
the majority 80 % aren't aware of it.
Forget about talking to Limewire,
get the message out to the people
who use it - that's the only way to
stop them.

Another thing, what they're doing is
probably illegal and if somebody sues
them that person could probably make
a lot of money...

The laws in each state are different, follow this link to see if they have violated any laws in your aera.



you normaly can sue only for the dammages you incured, but if there are enough people with the same case it might put an end to the spy and adware crap.

Re: What about 1.9b
 

This is a repackaged version of 2.0.3. It will install and function alongside 1.9b just fine. It should act just like the real installation of LimeWire, except that there are no spywares or ads installed. There are also NO registry entries, so bye-bye clicktilluwin. LimeWire functions just fine without spyware. It just took a little configuring.

You can get rid of everything that earlier versions of LW put there and you can still use Clean LimeWire with no problems.
:-)

TruStarwarrior,just a quick word of thanks for putting up a 'clean' version of Limewire.
Now that I've seen the new generation Limewire in action (without all the crap that's installed with the basic),I had no hesitation in buying the 'legit' Pro.
Once again,cheers.

I'm glad to hear that it's working for you.
:-)

Just use Xolox
 

The last official version won't work, so you just download the hack 113 or hack 115 patches & she's as good as new

Renegade version of LimeWire 2.0.2
 

We created Renegade version 2.0.2 which is a compact LimeWire installer minus all the spyware and banner ads. It shares itself automatically so you can search and download the Renegade202.exe installer from the network once users start running it. The installer allows itself to be downloaded though a browser so you can use a Gnutella search website to find the installer.


Try it out!

rene