Re: Clicktilluwin DLDER Trojan

[ByteRage <byterage () yahoo com>]

hmm it seems more thorough analysis has already been
performed by AV researchers :

http://www.symantec.com/avcenter/venc/data/w32.dlder.trojan.html
http://www.europe.f-secure.com/v-descs/dlder.shtml
http://vil.mcafee.com/dispVirus.asp?virus_k=99289&;
http://www.xtra.co.nz/help/0,,4128-544089,00.html#dlder

It appears to be installed by LimeWare Gnutella /
Grokster

--- ByteRage <byterage () yahoo com> wrote:
> below is the result of a small (read : fast)
> examination of this file... I can not guarantee
> everything is 100% correct (but at least 99,9% is ;)
>
> file name : dlder.exe
> file size : 40960 bytes
> md5sum("dlder.exe") :
> d41d8cd98f00b204e9800998ecf8427e
>
> It's at least a very suspicious file since it's
> purpose seems to be to download a file into
> %windir%\explorer\explorer.exe
> (using calls to GetWindowsDirectoryA,
> CreateDirectoryA, SetFileAttributesA,
> URLMON!URLDownloadToFile)
>
> at startup the program also determines the operating
> system (GetVersionExA) and uses an import of
> RegisterServiceProcess to hide itself from the
> tasklist under win9x systems (the process list when
> you type CTRL+ALT+DEL)
>
> the program also makes the following keys :
>
> HKEY_LOCAL_MACHINE\Software\games\clicktilluwin
> (with all keys under it belonging to the program)
HKEY_LOCAL_MACHINE\Software\Microsoft\CurrentVersion\Run\dlder
> the dlder key contains the filename of the
> downloaded
> file, so it contains
> "%windir%\explorer\Explorer.exe"
>
> the url the file explorer.exe is downloaded from I
> don't know, since the download seemed to fail on my
> machine because it was a null string
>
> the program should be detected by AV/AM since it is
> likely to be more then just adware / spyware or at
> least it's nasty enough to be classified as such
> (hiding as explorer.exe, an important part of the
> operating system is fraud)
>
> --- jon () kirkbrideonline com wrote:
> > In-Reply-To:
> > <20011230032402.5229.qmail () mail securityfocus com>
> >
> > I found this vulnerability in the latest Limewire
> > 2.0.2 
> > gnutella client download. This crap gets installed
>
> > whether you like it or not. On my WinXP machine,
> it 
> > was running a new service called bargains.exe that
>
> > was located in c:\program files\bargain buddy. The
>
> > dlder.exe file resides in C:\windows. I deleted
> the
> > files 
> > before I looked at their content but there appeard
> > to 
> > be some DB type files in the folder. Norton's
> > latests 
> > pattern files (12/29) will detect the dlder.exe
> file
> > but 
> > there's no info on their website about it yet.
> > Anyone 
> > have a handle on what this thing is doing?
>
>
> __________________________________________________
> Do You Yahoo!?
> Send your FREE holiday greetings online!
> http://greetings.yahoo.com


__________________________________________________
Do You Yahoo!?
Send your FREE holiday greetings online!
http://greetings.yahoo.com