hmm it seems more thorough analysis has already been performed by AV researchers : http://www.symantec.com/avcenter/venc/data/w32.dlder.trojan.html http://www.europe.f-secure.com/v-descs/dlder.shtml http://vil.mcafee.com/dispVirus.asp?virus_k=99289& http://www.xtra.co.nz/help/0,,4128-544089,00.html#dlder It appears to be installed by LimeWare Gnutella / Grokster --- ByteRage <byterageat_private> wrote: > > below is the result of a small (read : fast) > examination of this file... I can not guarantee > everything is 100% correct (but at least 99,9% is ;) > > file name : dlder.exe > file size : 40960 bytes > md5sum("dlder.exe") : > d41d8cd98f00b204e9800998ecf8427e > > It's at least a very suspicious file since it's > purpose seems to be to download a file into > %windir%\explorer\explorer.exe > (using calls to GetWindowsDirectoryA, > CreateDirectoryA, SetFileAttributesA, > URLMON!URLDownloadToFile) > > at startup the program also determines the operating > system (GetVersionExA) and uses an import of > RegisterServiceProcess to hide itself from the > tasklist under win9x systems (the process list when > you type CTRL+ALT+DEL) > > the program also makes the following keys : > > HKEY_LOCAL_MACHINE\Software\games\clicktilluwin > (with all keys under it belonging to the program) > > HKEY_LOCAL_MACHINE\Software\Microsoft\CurrentVersion\Run\dlder > > the dlder key contains the filename of the > downloaded > file, so it contains > "%windir%\explorer\Explorer.exe" > > the url the file explorer.exe is downloaded from I > don't know, since the download seemed to fail on my > machine because it was a null string > > the program should be detected by AV/AM since it is > likely to be more then just adware / spyware or at > least it's nasty enough to be classified as such > (hiding as explorer.exe, an important part of the > operating system is fraud) > > --- jonat_private wrote: > > > > In-Reply-To: > > <20011230032402.5229.qmailat_private> > > > > I found this vulnerability in the latest Limewire > > 2.0.2 > > gnutella client download. This crap gets installed > > > whether you like it or not. On my WinXP machine, > it > > was running a new service called bargains.exe that > > > was located in c:\program files\bargain buddy. The > > > dlder.exe file resides in C:\windows. I deleted > the > > files > > before I looked at their content but there appeard > > to > > be some DB type files in the folder. Norton's > > latests > > pattern files (12/29) will detect the dlder.exe > file > > but > > there's no info on their website about it yet. > > Anyone > > have a handle on what this thing is doing? > > > __________________________________________________ > Do You Yahoo!? > Send your FREE holiday greetings online! > http://greetings.yahoo.com __________________________________________________ Do You Yahoo!? Send your FREE holiday greetings online! http://greetings.yahoo.com
This archive was generated by hypermail 2b30 : Thu Jan 03 2002 - 10:29:49 PST