dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
19684

Gary44
join:2000-03-18
Yorktown Heights, NY

Gary44

Member

Limewire Installed Trojan

A few days ago I downloaded and installed Limewire. Aside from it having installed several other spyware programs that were easily detected and removed by Lavasoft, it installed a file in the Windows folder called dlder.exe. It placed a corresponding line in the registry to make dlder.exe load at start up. Fortunately, ZoneAlarm alerted me that the file was trying to access the Internet and I stopped it from doing so. I "unchecked it" in MSCONFIG so it would not load at start up. After a few days I ran a full system scan with Norton AV. Norton reported that dlder.exe was a trojan virus and safely deleted it.

I'm no expert on security and what I do know has largely come from silently reading posts in this forum. This being said, two lessons that should be taken from this experience:

1) Do not go near Limewire.
2) A two-way firewall is not a luxury, it's a necessity. Had I been using XP's built in one-way firewall the trojan might very well still be running.

Gary

rapamatic
join:2001-12-15
Glencoe, IL

rapamatic

Member

I have used Limewire in the past, and I know it did not install dlder.exe. Could be an issue with a newer release or a bad download site.

As a program though Limewire sucks, eats up WAY too much bandwidth, as do all similar decentralized P2P progs that send all queries to all users.

Gary44
join:2000-03-18
Yorktown Heights, NY

Gary44

Member

Trust me, it installed it. I did a newsgroup search and I see another post saying the same thing. It probably is something that has just cropped in the new version.

rapamatic
join:2001-12-15
Glencoe, IL

rapamatic to Gary44

Member

to Gary44
I believe you that it did install the trojan. I was just saying that when I installed it several months ago it did not.

I will definitely stay away from this prog in the future.

Gary44
join:2000-03-18
Yorktown Heights, NY

Gary44

Member

What do you recommend for a Limewire/Bearshare type file sharing program that does not contain spyware, trojans, etc.?
Zev0 (banned)
Old Sarge
join:2001-08-21
Deep Space

Zev0 (banned)

Member

Audiognome
www.audiognome.com
IMHO it's the best there is. Not very widely known, but really widely used. I've seen as many as 30,000,000 files available. Mostly MP3's tho, of course. lol

Ugly
Fishy Cool Bird
join:2001-12-12
The Meadow

Ugly to Gary44

Member

to Gary44
Boy, it is a shame that Limewire has turned to the dark side.
This had some promise as Napster withered.

rapamatic
join:2001-12-15
Glencoe, IL

rapamatic to Gary44

Member

to Gary44
Lately I've been using audiogalaxy to get MP3s. Doesn't take nearly as much bandwidth as a gnutella (i.e. limewire, morpheus, bearshare) based system.

One day at work our head IT guy gave me a call and pointed out that I had received several hundred megabytes of bandwidth, because I had left limewire on (he was using a cool little program called little brother). Gnutella based solutions are real bandwidth hogs since all query requests get send to all PCs (kind of like a hub).
sburnett_2000
join:2001-08-01
USA

sburnett_2000 to Gary44

Member

to Gary44
I'm using Linux. How would I identify whether it installed a trojan? I installed it as a regular user (not root), so I don't think much damage could be done. Then again, how would I know? I have iptables installed, but I'm not sure where it logs all its stuff (most likely under /var/log/ somewhere)

Thanks.
raillex
join:2001-06-26
Libertyville, IL

raillex to Gary44

Member

to Gary44
I downloaded Limewire last Tuesday and used it to
locate and download MP3s. Unfortunately, I discovered that the program not only installs Aureate and Cydoor spyware, but also a trojan called backdoor-g-1.

The backdoor-g-1 trojan is buried in a compressed file named
"ctywinstaller.exe" which is created during the Limewire installation process. The program then creates a file called "dlder.exe" in the Windows directory. Both of these were detected by Norton Antivirus.

Uninstalling the Limewire software using Windows add/remove programs actually REinstalled the trojan after I had removed the original and thought all was well.

This trojan is particularly pernicious in that it changed (or -shudder- allowed someone who subsequently hacked into my system from a remote location to change) one of my Norton Internet Security firewall rules to expressly permit inbound and outbound communications with BackOrifice. The mere possibility that someone might have successfully hacked into my system led me to replace all the files on my hard drive with a backup stored on a Norton Ghost CD.

Nasty stuff.

rapamatic
join:2001-12-15
Glencoe, IL

rapamatic to Gary44

Member

to Gary44
Just emailed them about this, curious if I'll get a response.

Frosties
Premium Member
join:2001-10-01
Sweden

Frosties

Premium Member

Removed
[text was edited by author 2001-12-30 00:55:14]

Lurkers inc
Don't Call Me Doink
join:2001-10-13
Seattle, WA

Lurkers inc to Gary44

Member

to Gary44
said by Gary44:
Trust me, it installed it. I did a newsgroup search and I see another post saying the same thing. It probably is something that has just cropped in the new version.
I was just reading this link about another file sharing program I never heard of called "Grokster" allegedly installing "dlder.exe" and wonder if it might be a new advertising component or just a coincidence?

Paul,

Frosties
Premium Member
join:2001-10-01
Sweden

Frosties

Premium Member

See here for another on Kazaa named DLDER.exe: »Kazaa + Trojan
raillex
join:2001-06-26
Libertyville, IL

raillex to Gary44

Member

to Gary44
Hmmm...Norton reported the dlder.exe on my system as being infected with the backdoor-g-1 trojan.

rapamatic
join:2001-12-15
Glencoe, IL

rapamatic to Gary44

Member

to Gary44
Also check for c:\program files\adp\bin\adp.exe...

This is put on by LimeWire also, there's no option to disable it, and I think its responsible for the ad windows that popped up on my desktop without any warning at all (in IE windows), that is I was doing nothing on the computer and the ads popped up.

Not a trojan but a rather obtrusive piece of adware.

Gary44
join:2000-03-18
Yorktown Heights, NY

Gary44

Member

If you haven't already, you should run Lavasoft's Ad-Aware. It found several items, including registry keys for the spyware "cydoor." Everything it discovered was installed by Limewire.

rapamatic
join:2001-12-15
Glencoe, IL

rapamatic to Gary44

Member

to Gary44
I don't think ad-aware detected adp, but then again one of my other progs might have detected the change to hklm\..\run and then I would have just deleted the files before I ran ad-aware.

Gary44
join:2000-03-18
Yorktown Heights, NY

Gary44

Member

I just found this regarding DLDER.EXE:
»www.europe.f-secure.com/ ··· er.shtml

Wildcatboy
Invisible
Mod
join:2000-10-30
Toronto, ON

Wildcatboy to Gary44

Mod

to Gary44

dlder.exe indeed is a Trojan. Not a spyware, a genuine backdoor Trojan. Did you guys download Kazaa and limewire from their official sites or through another link? As unfortunate as it sounds it's becoming acceptable for applications to include spyware but including a Trojan is not an acceptable practice. At least not yet.

dolphins
Clean Up Our Oceans
Premium Member
join:2001-08-22
Westville, NJ

dolphins to Gary44

Premium Member

to Gary44
I had a similar problem with Limewire 6 months or so back but,have re-formatted HD since and I don't use share programs anymore because of another problem I had with Bearshare. I consider these programs to be a gamble that I am not willing to take. I do miss using those programs but,any scumbag with malicious intent can wreak havoc on anyone allowing their computer to be a server.

I am completely disgusted with the fact that some people just can't be civilized

Frosties
Premium Member
join:2001-10-01
Sweden

Frosties

Premium Member

In the future perhaps the best is for programs to be made available like eudora with different versions, one that cost to not have these built in.

I noted on the site for Limewire that it is open source, but they have programmers working themselves so the distibution should be tested. Perhaps something got through and they did not look carefully enough on the included add-ware? But more likely is that the program was downloaded from third-party.

Many will question these programs now however it became a part of the distribution. It is two of these filesharing programs that has this trojan in it and several has downloaded it therefore it looks to me that something has gone wrong.
raillex
join:2001-06-26
Libertyville, IL

raillex to Gary44

Member

to Gary44
Yet another thread regarding this trojan. »www.bearshare.net/forum/ ··· did=8252

dolphins
Clean Up Our Oceans
Premium Member
join:2001-08-22
Westville, NJ

dolphins to Frosties

Premium Member

to Frosties
Most definitely it is the doings of a third party! But how can it be stopped in the future?

Frosties
Premium Member
join:2001-10-01
Sweden

Frosties

Premium Member

Well the ball is in the court of the user to check the source of the program a concept that has become fuddled when it comes to file-sharing.

Gary44
join:2000-03-18
Yorktown Heights, NY

Gary44 to Wildcatboy

Member

to Wildcatboy
said by Wildcatboy:
Did you guys download Kazaa and limewire from their official sites or through another link?
I downloaded Limewire from its official site.

jvmorris
I Am The Man Who Was Not There.
MVM
join:2001-04-03
Reston, VA

jvmorris to raillex

MVM

to raillex
said by raillex:
Yet another thread regarding this trojan. »www.bearshare.net/forum/ ··· did=8252
Raillex,
Good catch, and a completely different product, to boot. Indeed, that's the most definitive analysis (in that thread) that I've seen to date on exactly what is happening here.

Just to re-emphasize a point that some may be overlooking in your initial posts on this one: AG/NIS/NPF users should re-examine their firewall rulesets in detail and their firewall event logs for any suspicious activity (to that IP address, in particular).

A ruleset viewer for AG/NIS/NPF can be obtained from Albert Janssen's site at »www.capimonitor.nl/atgua ··· info.htm . A firewall event log viewer (again, for both AG and NIS/NPF) can be obtained from Sven Schaefer's site at »home.debitel.net/user/sv ··· logview/ .

Can anyone respond (knowledgably) as to whether ZA/ZAP, Tiny, Outpost, or Sygate are also susceptible to having their firewall rules modified by this little beastie?

Nitrousine6
join:2001-01-15
Las Vegas, NV

Nitrousine6

Member

Well I just got done re-installing my operating system earlier. I had uninstalled Gnotella (I couldn't even connect to the servers for some reason) and then I rebooted. I then just happened to find a folder in my startup group called "dlder" and I immediately knew what it was since I had seen it not long before mentioned on another website.

I then went into the ZoneAlarm programs tab and I saw one of the programs listed was "dlder".
Odd thing was I am almost positive I never gave it permission, perhaps by accident I suppose, but I'm not sure.

I'll darn sure never download any of those darn programs anymore. Oh, and I downloaded Gnotella from download.com. I just went there and searched for Gnotella and that's where I got it from. You learn something new every day. I've gotten viruses in the past and I always thought that if I had a firewall that I would know if I ever got another one. Well, if I hadn't looked in my startup files, I might not have known about it for a while longer...

tester566
@attbi.com

tester566 to Gary44

Anon

to Gary44
Check out www.gnucleus.net . I think this program is just as good, or better then LimeWire...without any Spyware.

Frosties
Premium Member
join:2001-10-01
Sweden

Frosties to Nitrousine6

Premium Member

to Nitrousine6
Just one silly paranoid thought that made me smile before I sign off. Could this be the music industry playing hardball.