Vulnerability Development mailing list archives
Re: Clicktilluwin DLDER Trojan
From: ByteRage <byterage () yahoo com>
Date: Thu, 3 Jan 2002 01:02:29 -0800 (PST)
hmm it seems more thorough analysis has already been performed by AV researchers : http://www.symantec.com/avcenter/venc/data/w32.dlder.trojan.html http://www.europe.f-secure.com/v-descs/dlder.shtml http://vil.mcafee.com/dispVirus.asp?virus_k=99289& http://www.xtra.co.nz/help/0,,4128-544089,00.html#dlder It appears to be installed by LimeWare Gnutella / Grokster --- ByteRage <byterage () yahoo com> wrote:
below is the result of a small (read : fast) examination of this file... I can not guarantee everything is 100% correct (but at least 99,9% is ;) file name : dlder.exe file size : 40960 bytes md5sum("dlder.exe") : d41d8cd98f00b204e9800998ecf8427e It's at least a very suspicious file since it's purpose seems to be to download a file into %windir%\explorer\explorer.exe (using calls to GetWindowsDirectoryA, CreateDirectoryA, SetFileAttributesA, URLMON!URLDownloadToFile) at startup the program also determines the operating system (GetVersionExA) and uses an import of RegisterServiceProcess to hide itself from the tasklist under win9x systems (the process list when you type CTRL+ALT+DEL) the program also makes the following keys : HKEY_LOCAL_MACHINE\Software\games\clicktilluwin (with all keys under it belonging to the program)
HKEY_LOCAL_MACHINE\Software\Microsoft\CurrentVersion\Run\dlder
the dlder key contains the filename of the downloaded file, so it contains "%windir%\explorer\Explorer.exe" the url the file explorer.exe is downloaded from I don't know, since the download seemed to fail on my machine because it was a null string the program should be detected by AV/AM since it is likely to be more then just adware / spyware or at least it's nasty enough to be classified as such (hiding as explorer.exe, an important part of the operating system is fraud) --- jon () kirkbrideonline com wrote:In-Reply-To: <20011230032402.5229.qmail () mail securityfocus com> I found this vulnerability in the latest Limewire 2.0.2 gnutella client download. This crap gets installedwhether you like it or not. On my WinXP machine,itwas running a new service called bargains.exe thatwas located in c:\program files\bargain buddy. Thedlder.exe file resides in C:\windows. I deletedthefiles before I looked at their content but there appeard to be some DB type files in the folder. Norton's latests pattern files (12/29) will detect the dlder.exefilebut there's no info on their website about it yet. Anyone have a handle on what this thing is doing?__________________________________________________ Do You Yahoo!? Send your FREE holiday greetings online! http://greetings.yahoo.com
__________________________________________________ Do You Yahoo!? Send your FREE holiday greetings online! http://greetings.yahoo.com
Current thread:
- Re: Clicktilluwin DLDER Trojan NETKOJI (Jan 01)
- <Possible follow-ups>
- Re: Clicktilluwin DLDER Trojan ByteRage (Jan 02)
- Re: Clicktilluwin DLDER Trojan ByteRage (Jan 03)
- Re: Clicktilluwin DLDER Trojan CyBot (Jan 03)
- Re: Clicktilluwin DLDER Trojan ByteRage (Jan 03)
- Re: Clicktilluwin DLDER Trojan Jon Williams (Jan 03)
- Re: Clicktilluwin DLDER Trojan Alex Salkever (Jan 03)