LISTSERV - VICUG-L Archives - LISTSERV.ICORS.ORG

VICUG-L Archives

Visually Impaired Computer Users' Group List

VICUG-L@LISTSERV.ICORS.ORG

	LISTSERV Archives
	VICUG-L Home

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives
Options:	Use Forum View Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]
Subject:	Fw: news special from ZDNet and Symantec
From:	David Poehlman <[log in to unmask]>
Reply To:	David Poehlman <[log in to unmask]>
Date:	Thu, 3 Jan 2002 17:42:30 -0500
Content-Type:	text/plain
Parts/Attachments:	text/plain (378 lines)
----- Original Message -----
From: "Nick Danger" <[log in to unmask]>
To: "Access L" <[log in to unmask]>
Sent: Thursday, January 03, 2002 4:36 PM
Subject: news special from ZDNet and Symantec



Special to ZDNet News

January 2, 2002 3:18 PM PT



A pair of popular file-sharing programs have become privacy time bombs,
according to computer experts.



Antivirus company Symantec last week

reported

the presence of "spyware" bundled with Grokster and Limewire, two
popular file-swapping downloads. The code evidently does not damage
computers, but it

surreptitiously sends personal information such as user ID names and the
Internet address of computers to another Web address.



Advertising software called "Clicktilluwin" that comes bundled with the
file-swapping programs carries a program called "W32.DIDer," which
Symantec has

classified as a Trojan horse--a piece of code that takes over parts of a
person's computer unseen in order to carry out its own instructions.



 frame



 frame end



Although unrelated advertising programs are routinely bundled with free
file-swapping programs--and have prompted some user criticism in the
past--this

appears to be the first time one of them has included a program
classified as a Trojan horse by security experts.



The Trojan horse software installs itself even if a computer user
selects an option that appears to block Clicktilluwin's installation.
For this reason,

antivirus companies are warning people to scan their computers after
installing these products to ensure the code is removed.



On the heels of the Symantec warning, some consumers complained of
similar problems with FastTrack's Kazaa Media Desktop. CNET News.com
could not duplicate

the problem in a test of that product Wednesday.



A spokesman for Limewire said the version with Clicktilluwin included
had been replaced with a clean version by Tuesday.



"It was not what we thought this was," said Greg Bildson, Limewire's
chief technical officer. "It was supposed to be a promotional tool...not
blatant spyware."



Grokster has gone one step further, apologizing and providing its users
with a

program

that will remove the offending bits of code from personal computers



"We have no access to the source code of these third-party installers
and so we rely on what our advertisers say these programs do," the
company wrote on

its Web site Wednesday. "Now that we have learned of the Trojan, we are
doing everything we can to minimize its impact on our users."



Because software programs are among the most popular downloads on the
Net, the Trojan horse could potentially find its way onto a large number
of computers.

Kazaa, for example, is one of the most popular pieces of software
available through CNET Download.com, a site operated by News.com's
parent company, with

more than 1.3 million downloads in the last week of December alone.



Bitter warnings about the code spread through consumer bulletin boards
on several different Web sites last week.



"Make sure you have a good virus utility if you must install this," one
person wrote on Download.com's Grokster reviews.



Related Quotes

Powered by CNET News.com Investor



Symantec Corp.

SYMC





W32.DlDer.Trojan



Discovered on: December 27, 2001



Last Updated on: January 2, 2002 at 12:46:44 PM PST



W32.DlDer.Trojan is a Trojan which has two components that work
together: Dlder.exe (40,960 bytes) and Explorer.exe (31,232 bytes),
which is downloaded

by Dlder.exe.

NOTE: Definitions dated before December 29, 2001, detect this as
Backdoor.Trojan.



Also Known As:

Trojan.Win32.DlDer



Type:

Trojan Horse

Virus Definitions:

December 29, 2001



Threat Assessment:



Low

Low

Low



Wild:



Low

Damage:



Low

Distribution:



Low



Technical description:



This Trojan is known to be installed (as part of the normal
installation) by two "freeware" file-sharing programs:

Grokster, which is a file sharing system.

Limeware, which is the LimeWire Gnutella Client.



During the installation process of these programs, you are asked if you
want to install the (spyware) program "Clicktilluwin." Regardless of
whether you

click Yes or No, the Trojan code is installed.



This Trojan has two components:

Explorer.exe, which is the main Trojan.

Dlder.exe, which is the downloader for Explorer.exe.



The Trojan creates the hidden folder \Explorer in the \Windows folder,
and then downloads Explorer.exe to that folder. The Trojan also copies
Dlder.exe

to the \Windows folder.



NOTE: Do not confuse the Trojan, which is copied as
\Windows\Explorer\Explorer.exe, with the real Windows Explorer file,
which is also named Explorer.exe.

The genuine file is, by default, in stored in the \Windows folder, not
the \Windows\Explorer\ folder. The Trojan creates the \Explorer folder
under the

Windows folder, and places the Trojan there.



The Trojan also adds one of the following values:



dlder   C:\windows\explorer\Explorer.exe



dlder   C:\windows\dlder.exe



to the registry key



HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run



so that it runs each time that you start Windows.



The Trojan appears to be sending some information (such User-ID and IP
address) to the following URL:



http:/ /www.2001-007.com



Removal instructions:



To remove this Trojan, delete files that are detected as
W32.DlDer.Trojan, and remove the value that it added to the registry.



To remove the Trojan:

1. Run LiveUpdate to make sure that you have the most recent virus
definitions.

2. Start Norton AntiVirus (NAV), and make sure that NAV is configured to
scan all files. For instructions on how to do this, read the document

How to configure Norton AntiVirus to scan all files.



3. Run a full system scan.

4. Delete all files that are detected as W32.DlDer.Trojan.



To edit the registry:



CAUTION: We strongly recommend that you back up the system registry
before you make any changes. Incorrect changes to the registry could
result in permanent

data loss or corrupted files. Please make sure that you modify only the
keys that are specified. Please see the document

How to back up the Windows registry

before you proceed.

1. Click Start, and click Run. The Run dialog box appears.

2. Type regedit and then click OK. The Registry Editor opens.

3. Navigate to the following key:



HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run



4. In the right pane, delete any of the following values that exist:



dlder   C:\windows\explorer\Explorer.exe



dlder   C:\windows\dlder.exe



5. Navigate to and delete the following subkey:



HKEY_LOCAL_MACHINE\Software\Games\Clicktilluwin



6. Click Registry, and then click Exit.v


VICUG-L is the Visually Impaired Computer User Group List.
To join or leave the list, send a message to
[log in to unmask]  In the body of the message, simply type
"subscribe vicug-l" or "unsubscribe vicug-l" without the quotations.
 VICUG-L is archived on the World Wide Web at
http://maelstrom.stjohns.edu/archives/vicug-l.html
ATOM RSS1 RSS2
LISTSERV.ICORS.ORG