Re: Clicktilluwin DLDER Trojan

From: ByteRage (byterageat_private)
Date: Wed Jan 02 2002 - 14:36:53 PST

Next message: Ryan Yagatich: "RE: Proftpd SIGSEGV"

Previous message: magnet0: "Cgi-bin Shows password files in Cobalt Linux"
Next in thread: ByteRage: "Re: Clicktilluwin DLDER Trojan"
Reply: ByteRage: "Re: Clicktilluwin DLDER Trojan"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

below is the result of a small (read : fast)
examination of this file... I can not guarantee
everything is 100% correct (but at least 99,9% is ;)

file name : dlder.exe
file size : 40960 bytes
md5sum("dlder.exe") : d41d8cd98f00b204e9800998ecf8427e

It's at least a very suspicious file since it's
purpose seems to be to download a file into
%windir%\explorer\explorer.exe
(using calls to GetWindowsDirectoryA,
CreateDirectoryA, SetFileAttributesA,
URLMON!URLDownloadToFile)

at startup the program also determines the operating
system (GetVersionExA) and uses an import of
RegisterServiceProcess to hide itself from the
tasklist under win9x systems (the process list when
you type CTRL+ALT+DEL)

the program also makes the following keys :

HKEY_LOCAL_MACHINE\Software\games\clicktilluwin
(with all keys under it belonging to the program)

HKEY_LOCAL_MACHINE\Software\Microsoft\CurrentVersion\Run\dlder

the dlder key contains the filename of the downloaded
file, so it contains "%windir%\explorer\Explorer.exe"

the url the file explorer.exe is downloaded from I
don't know, since the download seemed to fail on my
machine because it was a null string

the program should be detected by AV/AM since it is
likely to be more then just adware / spyware or at
least it's nasty enough to be classified as such
(hiding as explorer.exe, an important part of the
operating system is fraud)

--- jonat_private wrote:
> 
> In-Reply-To:
> <20011230032402.5229.qmailat_private>
> 
> I found this vulnerability in the latest Limewire
> 2.0.2 
> gnutella client download. This crap gets installed 
> whether you like it or not. On my WinXP machine, it 
> was running a new service called bargains.exe that 
> was located in c:\program files\bargain buddy. The 
> dlder.exe file resides in C:\windows. I deleted the
> files 
> before I looked at their content but there appeard
> to 
> be some DB type files in the folder. Norton's
> latests 
> pattern files (12/29) will detect the dlder.exe file
> but 
> there's no info on their website about it yet.
> Anyone 
> have a handle on what this thing is doing?


__________________________________________________
Do You Yahoo!?
Send your FREE holiday greetings online!
http://greetings.yahoo.com

Next message: Ryan Yagatich: "RE: Proftpd SIGSEGV"
Previous message: magnet0: "Cgi-bin Shows password files in Cobalt Linux"
Next in thread: ByteRage: "Re: Clicktilluwin DLDER Trojan"
Reply: ByteRage: "Re: Clicktilluwin DLDER Trojan"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Jan 02 2002 - 21:30:19 PST