OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: ByteRage (byterageyahoo.com)
Date: Thu Jan 03 2002 - 03:02:29 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    hmm it seems more thorough analysis has already been
    performed by AV researchers :

    http://www.symantec.com/avcenter/venc/data/w32.dlder.trojan.html
    http://www.europe.f-secure.com/v-descs/dlder.shtml
    http://vil.mcafee.com/dispVirus.asp?virus_k=99289&
    http://www.xtra.co.nz/help/0,,4128-544089,00.html#dlder

    It appears to be installed by LimeWare Gnutella /
    Grokster

    --- ByteRage <byterageyahoo.com> wrote:
    >
    > below is the result of a small (read : fast)
    > examination of this file... I can not guarantee
    > everything is 100% correct (but at least 99,9% is ;)
    >
    > file name : dlder.exe
    > file size : 40960 bytes
    > md5sum("dlder.exe") :
    > d41d8cd98f00b204e9800998ecf8427e
    >
    > It's at least a very suspicious file since it's
    > purpose seems to be to download a file into
    > %windir%\explorer\explorer.exe
    > (using calls to GetWindowsDirectoryA,
    > CreateDirectoryA, SetFileAttributesA,
    > URLMON!URLDownloadToFile)
    >
    > at startup the program also determines the operating
    > system (GetVersionExA) and uses an import of
    > RegisterServiceProcess to hide itself from the
    > tasklist under win9x systems (the process list when
    > you type CTRL+ALT+DEL)
    >
    > the program also makes the following keys :
    >
    > HKEY_LOCAL_MACHINE\Software\games\clicktilluwin
    > (with all keys under it belonging to the program)
    >
    >
    HKEY_LOCAL_MACHINE\Software\Microsoft\CurrentVersion\Run\dlder
    >
    > the dlder key contains the filename of the
    > downloaded
    > file, so it contains
    > "%windir%\explorer\Explorer.exe"
    >
    > the url the file explorer.exe is downloaded from I
    > don't know, since the download seemed to fail on my
    > machine because it was a null string
    >
    > the program should be detected by AV/AM since it is
    > likely to be more then just adware / spyware or at
    > least it's nasty enough to be classified as such
    > (hiding as explorer.exe, an important part of the
    > operating system is fraud)
    >
    > --- jonkirkbrideonline.com wrote:
    > >
    > > In-Reply-To:
    > > <20011230032402.5229.qmailmail.securityfocus.com>
    > >
    > > I found this vulnerability in the latest Limewire
    > > 2.0.2
    > > gnutella client download. This crap gets installed
    >
    > > whether you like it or not. On my WinXP machine,
    > it
    > > was running a new service called bargains.exe that
    >
    > > was located in c:\program files\bargain buddy. The
    >
    > > dlder.exe file resides in C:\windows. I deleted
    > the
    > > files
    > > before I looked at their content but there appeard
    > > to
    > > be some DB type files in the folder. Norton's
    > > latests
    > > pattern files (12/29) will detect the dlder.exe
    > file
    > > but
    > > there's no info on their website about it yet.
    > > Anyone
    > > have a handle on what this thing is doing?
    >
    >
    > __________________________________________________
    > Do You Yahoo!?
    > Send your FREE holiday greetings online!
    > http://greetings.yahoo.com

    __________________________________________________
    Do You Yahoo!?
    Send your FREE holiday greetings online!
    http://greetings.yahoo.com