Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Clicktilluwin DLDER Trojan

From: ByteRage <byterage () yahoo com>
Date: Wed, 2 Jan 2002 14:36:53 -0800 (PST)

below is the result of a small (read : fast)
examination of this file... I can not guarantee
everything is 100% correct (but at least 99,9% is ;)

file name : dlder.exe
file size : 40960 bytes
md5sum("dlder.exe") : d41d8cd98f00b204e9800998ecf8427e

It's at least a very suspicious file since it's
purpose seems to be to download a file into
%windir%\explorer\explorer.exe
(using calls to GetWindowsDirectoryA,
CreateDirectoryA, SetFileAttributesA,
URLMON!URLDownloadToFile)

at startup the program also determines the operating
system (GetVersionExA) and uses an import of
RegisterServiceProcess to hide itself from the
tasklist under win9x systems (the process list when
you type CTRL+ALT+DEL)

the program also makes the following keys :

HKEY_LOCAL_MACHINE\Software\games\clicktilluwin
(with all keys under it belonging to the program)

HKEY_LOCAL_MACHINE\Software\Microsoft\CurrentVersion\Run\dlder

the dlder key contains the filename of the downloaded
file, so it contains "%windir%\explorer\Explorer.exe"

the url the file explorer.exe is downloaded from I
don't know, since the download seemed to fail on my
machine because it was a null string

the program should be detected by AV/AM since it is
likely to be more then just adware / spyware or at
least it's nasty enough to be classified as such
(hiding as explorer.exe, an important part of the
operating system is fraud)

--- jon () kirkbrideonline com wrote:


In-Reply-To:
<20011230032402.5229.qmail () mail securityfocus com>

I found this vulnerability in the latest Limewire
2.0.2 
gnutella client download. This crap gets installed 
whether you like it or not. On my WinXP machine, it 
was running a new service called bargains.exe that 
was located in c:\program files\bargain buddy. The 
dlder.exe file resides in C:\windows. I deleted the
files 
before I looked at their content but there appeard
to 
be some DB type files in the folder. Norton's
latests 
pattern files (12/29) will detect the dlder.exe file
but 
there's no info on their website about it yet.
Anyone 
have a handle on what this thing is doing?



__________________________________________________
Do You Yahoo!?
Send your FREE holiday greetings online!
http://greetings.yahoo.com
Previous By Date Next
Previous By Thread Next

Current thread: