below is the result of a small (read : fast) examination of this file... I can not guarantee everything is 100% correct (but at least 99,9% is ;) file name : dlder.exe file size : 40960 bytes md5sum("dlder.exe") : d41d8cd98f00b204e9800998ecf8427e It's at least a very suspicious file since it's purpose seems to be to download a file into %windir%\explorer\explorer.exe (using calls to GetWindowsDirectoryA, CreateDirectoryA, SetFileAttributesA, URLMON!URLDownloadToFile) at startup the program also determines the operating system (GetVersionExA) and uses an import of RegisterServiceProcess to hide itself from the tasklist under win9x systems (the process list when you type CTRL+ALT+DEL) the program also makes the following keys : HKEY_LOCAL_MACHINE\Software\games\clicktilluwin (with all keys under it belonging to the program) HKEY_LOCAL_MACHINE\Software\Microsoft\CurrentVersion\Run\dlder the dlder key contains the filename of the downloaded file, so it contains "%windir%\explorer\Explorer.exe" the url the file explorer.exe is downloaded from I don't know, since the download seemed to fail on my machine because it was a null string the program should be detected by AV/AM since it is likely to be more then just adware / spyware or at least it's nasty enough to be classified as such (hiding as explorer.exe, an important part of the operating system is fraud) --- jonat_private wrote: > > In-Reply-To: > <20011230032402.5229.qmailat_private> > > I found this vulnerability in the latest Limewire > 2.0.2 > gnutella client download. This crap gets installed > whether you like it or not. On my WinXP machine, it > was running a new service called bargains.exe that > was located in c:\program files\bargain buddy. The > dlder.exe file resides in C:\windows. I deleted the > files > before I looked at their content but there appeard > to > be some DB type files in the folder. Norton's > latests > pattern files (12/29) will detect the dlder.exe file > but > there's no info on their website about it yet. > Anyone > have a handle on what this thing is doing? __________________________________________________ Do You Yahoo!? Send your FREE holiday greetings online! http://greetings.yahoo.com
This archive was generated by hypermail 2b30 : Wed Jan 02 2002 - 21:30:19 PST