----- Original Message -----
From: "Nick Danger" <[log in to unmask]>
To: "Access L" <[log in to unmask]>
Sent: Thursday, January 03, 2002 4:36 PM
Subject: news special from ZDNet and Symantec
Special to ZDNet News
January 2, 2002 3:18 PM PT
A pair of popular file-sharing programs have become privacy time bombs,
according to computer experts.
Antivirus company Symantec last week
reported
the presence of "spyware" bundled with Grokster and Limewire, two
popular file-swapping downloads. The code evidently does not damage
computers, but it
surreptitiously sends personal information such as user ID names and the
Internet address of computers to another Web address.
Advertising software called "Clicktilluwin" that comes bundled with the
file-swapping programs carries a program called "W32.DIDer," which
Symantec has
classified as a Trojan horse--a piece of code that takes over parts of a
person's computer unseen in order to carry out its own instructions.
frame
frame end
Although unrelated advertising programs are routinely bundled with free
file-swapping programs--and have prompted some user criticism in the
past--this
appears to be the first time one of them has included a program
classified as a Trojan horse by security experts.
The Trojan horse software installs itself even if a computer user
selects an option that appears to block Clicktilluwin's installation.
For this reason,
antivirus companies are warning people to scan their computers after
installing these products to ensure the code is removed.
On the heels of the Symantec warning, some consumers complained of
similar problems with FastTrack's Kazaa Media Desktop. CNET News.com
could not duplicate
the problem in a test of that product Wednesday.
A spokesman for Limewire said the version with Clicktilluwin included
had been replaced with a clean version by Tuesday.
"It was not what we thought this was," said Greg Bildson, Limewire's
chief technical officer. "It was supposed to be a promotional tool...not
blatant spyware."
Grokster has gone one step further, apologizing and providing its users
with a
program
that will remove the offending bits of code from personal computers
"We have no access to the source code of these third-party installers
and so we rely on what our advertisers say these programs do," the
company wrote on
its Web site Wednesday. "Now that we have learned of the Trojan, we are
doing everything we can to minimize its impact on our users."
Because software programs are among the most popular downloads on the
Net, the Trojan horse could potentially find its way onto a large number
of computers.
Kazaa, for example, is one of the most popular pieces of software
available through CNET Download.com, a site operated by News.com's
parent company, with
more than 1.3 million downloads in the last week of December alone.
Bitter warnings about the code spread through consumer bulletin boards
on several different Web sites last week.
"Make sure you have a good virus utility if you must install this," one
person wrote on Download.com's Grokster reviews.
Related Quotes
Powered by CNET News.com Investor
Symantec Corp.
SYMC
W32.DlDer.Trojan
Discovered on: December 27, 2001
Last Updated on: January 2, 2002 at 12:46:44 PM PST
W32.DlDer.Trojan is a Trojan which has two components that work
together: Dlder.exe (40,960 bytes) and Explorer.exe (31,232 bytes),
which is downloaded
by Dlder.exe.
NOTE: Definitions dated before December 29, 2001, detect this as
Backdoor.Trojan.
Also Known As:
Trojan.Win32.DlDer
Type:
Trojan Horse
Virus Definitions:
December 29, 2001
Threat Assessment:
Low
Low
Low
Wild:
Low
Damage:
Low
Distribution:
Low
Technical description:
This Trojan is known to be installed (as part of the normal
installation) by two "freeware" file-sharing programs:
Grokster, which is a file sharing system.
Limeware, which is the LimeWire Gnutella Client.
During the installation process of these programs, you are asked if you
want to install the (spyware) program "Clicktilluwin." Regardless of
whether you
click Yes or No, the Trojan code is installed.
This Trojan has two components:
Explorer.exe, which is the main Trojan.
Dlder.exe, which is the downloader for Explorer.exe.
The Trojan creates the hidden folder \Explorer in the \Windows folder,
and then downloads Explorer.exe to that folder. The Trojan also copies
Dlder.exe
to the \Windows folder.
NOTE: Do not confuse the Trojan, which is copied as
\Windows\Explorer\Explorer.exe, with the real Windows Explorer file,
which is also named Explorer.exe.
The genuine file is, by default, in stored in the \Windows folder, not
the \Windows\Explorer\ folder. The Trojan creates the \Explorer folder
under the
Windows folder, and places the Trojan there.
The Trojan also adds one of the following values:
dlder C:\windows\explorer\Explorer.exe
dlder C:\windows\dlder.exe
to the registry key
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
so that it runs each time that you start Windows.
The Trojan appears to be sending some information (such User-ID and IP
address) to the following URL:
http:/ /www.2001-007.com
Removal instructions:
To remove this Trojan, delete files that are detected as
W32.DlDer.Trojan, and remove the value that it added to the registry.
To remove the Trojan:
1. Run LiveUpdate to make sure that you have the most recent virus
definitions.
2. Start Norton AntiVirus (NAV), and make sure that NAV is configured to
scan all files. For instructions on how to do this, read the document
How to configure Norton AntiVirus to scan all files.
3. Run a full system scan.
4. Delete all files that are detected as W32.DlDer.Trojan.
To edit the registry:
CAUTION: We strongly recommend that you back up the system registry
before you make any changes. Incorrect changes to the registry could
result in permanent
data loss or corrupted files. Please make sure that you modify only the
keys that are specified. Please see the document
How to back up the Windows registry
before you proceed.
1. Click Start, and click Run. The Run dialog box appears.
2. Type regedit and then click OK. The Registry Editor opens.
3. Navigate to the following key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
4. In the right pane, delete any of the following values that exist:
dlder C:\windows\explorer\Explorer.exe
dlder C:\windows\dlder.exe
5. Navigate to and delete the following subkey:
HKEY_LOCAL_MACHINE\Software\Games\Clicktilluwin
6. Click Registry, and then click Exit.v
VICUG-L is the Visually Impaired Computer User Group List.
To join or leave the list, send a message to
[log in to unmask] In the body of the message, simply type
"subscribe vicug-l" or "unsubscribe vicug-l" without the quotations.
VICUG-L is archived on the World Wide Web at
http://maelstrom.stjohns.edu/archives/vicug-l.html
|