|
|
Dlder Trojan Information
| Name: |
Dlder |
| Category: |
Trojan |
| Advice: |
Remove |
| Risk: |
Severe Risk
Severe threats typically are remotely exploitable vulnerabilities, which can lead to system compromise. Successful exploitation does not normally require any interaction and exploits are in the wild. There exists a high possibility of potential system damage or security flaw. Attacker has complete control over your computer or install new software on your machine. |
| Description:
|
DlDer is a spyware application that sends personal information to a server.
This two-component spyware-trojan was discovered in the end of December 2001. The DlDer spyware-trojan was supposed to be an on-line lottery game with an adware component that had to display advertisement and offers. But the way it was implemented and dropped to users' systems made anti-virus vendors consider it a spyware-trojan. Do note that DlDer is NOT a virus, as it doesn't spread.
The trojan being installed on a user's system downloads or upgrades its main component that connects to a website and reports user's ID (unique for each computer), IP address, web browser a user is using and URLs that a web browser opens.
The DlDer spyware-trojan was installed with LimeWire, Kazaa, Grokster and some other software packages that are mainly used for user-to-user file exchange purposes (now most of these packages are distributed without DlDer trojan components). The trojan was installed even if a user selected not to install any additional (spyware) components from those packages during setup phase or was just hiddenly dropped to a user's system.
The DlDer.exe trojan component when it is started after installation of the above listed software packages, downloads Explorer.exe file from a website and puts it to Explorer subfolder of main Windows folder. Then the trojan creates a startup key for the downloaded Explorer.exe file. On next system restart the Explorer.exe file is activated and it creates a startup key for DlDer.exe file (trojan components activate each other). Then Explorer.exe starts to regularly connect to a website and report user's ID (unique number), IP address, web browser and URLs that a user visits to that site.
The trojan drops a file called explorer.exe in "%WinDir%explorer". The legitimate explorer.exe file is located in %WinDir% and should not be deleted.
|
| Signatures:
|
process: explorer.exe: MD5 Hash: b043b9a324ba308758a...
process: explorer.exe: MD5 Hash: .. |
| Type: |
Trojan - Spyware's primary purpose is to collect demographic and usage information from your computer, usually for advertising purposes. Spyware usually that 'sneaks' onto a system or performs other activities hidden to the user. Spyware programs are usually bundled as a hidden component and downloaded from the Internet. These modules are almost always installed on the system secretively and try to run secretively as well. |
Top Trojan Visited Pages:
Tro.Downloader.loadadv - 408 visits
Enable Regedit - 191 visits
Java.ClassLoader.Dummy.d - 182 visits
Trojan.BankerSpy - 176 visits
RBot.steam - 85 visits
Startup.NameShifter.Xgtray - 76 visits
Tro.Bagle.SP - 58 visits
Trojan.BHO.NameShifter.EZ - 54 visits
LRPatch Trojan - 54 visits
Tro.YourStartingPage - 53 visits
Random Trojan Pages:
Startup.NameShifter.MO
H99Clean
BHO.NameShifter.JY
Trojan.Agent.winbo32 - Alias: winbo32, EnBrowser
Printer Spitter .9 - Alias: Prinspi, Trojan.PrintSpitter
Shadow.1232.Batch
RBot.msupdate32
Tro.PcClien
Breakit
BHO.NameShifter.IS
|
|
