Vulnerability Development mailing list archives
Re: Clicktilluwin DLDER Trojan
From: ByteRage <byterage () yahoo com>
Date: Wed, 2 Jan 2002 14:36:53 -0800 (PST)
below is the result of a small (read : fast) examination of this file... I can not guarantee everything is 100% correct (but at least 99,9% is ;) file name : dlder.exe file size : 40960 bytes md5sum("dlder.exe") : d41d8cd98f00b204e9800998ecf8427e It's at least a very suspicious file since it's purpose seems to be to download a file into %windir%\explorer\explorer.exe (using calls to GetWindowsDirectoryA, CreateDirectoryA, SetFileAttributesA, URLMON!URLDownloadToFile) at startup the program also determines the operating system (GetVersionExA) and uses an import of RegisterServiceProcess to hide itself from the tasklist under win9x systems (the process list when you type CTRL+ALT+DEL) the program also makes the following keys : HKEY_LOCAL_MACHINE\Software\games\clicktilluwin (with all keys under it belonging to the program) HKEY_LOCAL_MACHINE\Software\Microsoft\CurrentVersion\Run\dlder the dlder key contains the filename of the downloaded file, so it contains "%windir%\explorer\Explorer.exe" the url the file explorer.exe is downloaded from I don't know, since the download seemed to fail on my machine because it was a null string the program should be detected by AV/AM since it is likely to be more then just adware / spyware or at least it's nasty enough to be classified as such (hiding as explorer.exe, an important part of the operating system is fraud) --- jon () kirkbrideonline com wrote:
In-Reply-To: <20011230032402.5229.qmail () mail securityfocus com> I found this vulnerability in the latest Limewire 2.0.2 gnutella client download. This crap gets installed whether you like it or not. On my WinXP machine, it was running a new service called bargains.exe that was located in c:\program files\bargain buddy. The dlder.exe file resides in C:\windows. I deleted the files before I looked at their content but there appeard to be some DB type files in the folder. Norton's latests pattern files (12/29) will detect the dlder.exe file but there's no info on their website about it yet. Anyone have a handle on what this thing is doing?
__________________________________________________ Do You Yahoo!? Send your FREE holiday greetings online! http://greetings.yahoo.com
Current thread:
- Re: Clicktilluwin DLDER Trojan NETKOJI (Jan 01)
- <Possible follow-ups>
- Re: Clicktilluwin DLDER Trojan ByteRage (Jan 02)
- Re: Clicktilluwin DLDER Trojan ByteRage (Jan 03)
- Re: Clicktilluwin DLDER Trojan CyBot (Jan 03)
- Re: Clicktilluwin DLDER Trojan ByteRage (Jan 03)
- Re: Clicktilluwin DLDER Trojan Jon Williams (Jan 03)
- Re: Clicktilluwin DLDER Trojan Alex Salkever (Jan 03)