Dlder

Category: Trojan

Risk: Severe Risk

* Severe threats typically are remotely exploitable vulnerabilities, which can lead to system compromise. Successful exploitation does not normally require any interaction and exploits are in the wild. There exists a high possibility of potential system damage or security flaw. Attacker has complete control over your computer or install new software on your machine.

Description: DlDer is a spyware application that sends personal information to a server. This two-component spyware-trojan was discovered in the end of December 2001. The DlDer spyware-trojan was supposed to be an on-line lottery game with an adware component that had to display advertisement and offers. But the way it was implemented and dropped to users' systems made anti-virus vendors consider it a spyware-trojan. Do note that DlDer is NOT a virus, as it doesn't spread. The trojan being installed on a user's system downloads or upgrades its main component that connects to a website and reports user's ID (unique for each computer), IP address, web browser a user is using and URLs that a web browser opens. The DlDer spyware-trojan was installed with LimeWire, Kazaa, Grokster and some other software packages that are mainly used for user-to-user file exchange purposes (now most of these packages are distributed without DlDer trojan components). The trojan was installed even if a user selected not to install any additional (spyware) components from those packages during setup phase or was just hiddenly dropped to a user's system. The DlDer.exe trojan component when it is started after installation of the above listed software packages, downloads Explorer.exe file from a website and puts it to \Explorer\ subfolder of main Windows folder. Then the trojan creates a startup key for the downloaded Explorer.exe file. On next system restart the Explorer.exe file is activated and it creates a startup key for DlDer.exe file (trojan components activate each other). Then Explorer.exe starts to regularly connect to a website and report user's ID (unique number), IP address, web browser and URLs that a user visits to that site. The trojan drops a file called explorer.exe in "%WinDir%\explorer\". The legitimate explorer.exe file is located in %WinDir% and should not be deleted.

Alias: Dlder

Signatures:
process: explorer.exe: MD5 Hash: b043b9a324ba308758a
process: explorer.exe: MD5 Hash: ..