| Description:
|
Details
Trojan.Win32.Dlder.a
This text was written by Alexey Podrezov, F-Secure Corp.
This two-component spyware-Trojan was discovered at the end of December 2001. Once the Trojan is installed on a user's system, it constantly upgrades its main component that connects to the 2001-007.com Web site and reports a user's ID, the Web browser being used and all URLs and all its child windows open. The Trojan violates a user's privacy and opens a security hole in the system by downloading and activating executable files.
This spyware-Trojan is installed with LimeWire, Kazaa and some other software packages along with other spyware. The Trojan is installed even if a user selects not to install any additional components from these packages.
The main Trojan component is an Explorer.exe file that is located in a Windows folder in Explorer subfolder (do not mistake it with the original Windows Explorer.exe). This component is constantly upgraded by the second Trojan component that has the name 'DlDer.exe' and is located in a Windows folder.
The DlDer.exe file, when it is started, downloads an Explorer.exe file from a Web site, and puts it in a WindowsExplorer folder. Then the Trojan creates a start-up key for the Explorer.exe file. Upon the next system restart, the Explorer.exe file is activated, and it creates a start-up key for the DlDer.exe file, and starts to connect to the aforementioned 2001-007.com Web site, reporting a user's ID, Web browser and all URLs visited by a user.
We recommend deleting both Trojan components from an infected system. If these components can't be deleted (locked files), they should be deleted from a pure DOS (in the case of a Windows 9x system), or renamed with different extensions (EXA for example) with immediate system restart (in case of Windows NT/2000/XP system). |
