 Gary44
join:2000-03-18
Yorktown Heights, NY | Limewire Installed Trojan A few days ago I downloaded and installed Limewire. Aside from it having installed several other spyware programs that were easily detected and removed by Lavasoft, it installed a file in the Windows folder called dlder.exe. It placed a corresponding line in the registry to make dlder.exe load at start up. Fortunately, ZoneAlarm alerted me that the file was trying to access the Internet and I stopped it from doing so. I "unchecked it" in MSCONFIG so it would not load at start up. After a few days I ran a full system scan with Norton AV. Norton reported that dlder.exe was a trojan virus and safely deleted it.
I'm no expert on security and what I do know has largely come from silently reading posts in this forum. This being said, two lessons that should be taken from this experience:
1) Do not go near Limewire.
2) A two-way firewall is not a luxury, it's a necessity. Had I been using XP's built in one-way firewall the trojan might very well still be running.
Gary |
|
| I have used Limewire in the past, and I know it did not install dlder.exe. Could be an issue with a newer release or a bad download site.
As a program though Limewire sucks, eats up WAY too much bandwidth, as do all similar decentralized P2P progs that send all queries to all users.
--
The more corrupt the State the more numerous the laws. |
|
|
|
Gary44
join:2000-03-18
Yorktown Heights, NY | Trust me, it installed it. I did a newsgroup search and I see another post saying the same thing. It probably is something that has just cropped in the new version. |
|
| reply to Gary44
I believe you that it did install the trojan. I was just saying that when I installed it several months ago it did not.
I will definitely stay away from this prog in the future.
--
The more corrupt the State the more numerous the laws. |
|
Gary44
join:2000-03-18
Yorktown Heights, NY | What do you recommend for a Limewire/Bearshare type file sharing program that does not contain spyware, trojans, etc.? |
|
 Zev0Old SargePremium
join:2001-08-21
Harlingen, TX | Audiognome
www.audiognome.com
IMHO it's the best there is. Not very widely known, but really widely used. I've seen as many as 30,000,000 files available. Mostly MP3's tho, of course. lol |
|
 UglyFishy Cool Bird
join:2001-12-12
The Meadow | reply to Gary44
Boy, it is a shame that Limewire has turned to the dark side.
This had some promise as Napster withered.
--
A happy ex-Verizon customer! |
|
| reply to Gary44
Lately I've been using audiogalaxy to get MP3s. Doesn't take nearly as much bandwidth as a gnutella (i.e. limewire, morpheus, bearshare) based system.
One day at work our head IT guy gave me a call and pointed out that I had received several hundred megabytes of bandwidth, because I had left limewire on (he was using a cool little program called little brother). Gnutella based solutions are real bandwidth hogs since all query requests get send to all PCs (kind of like a hub).
--
The more corrupt the State the more numerous the laws. |
|
| reply to Gary44
I'm using Linux. How would I identify whether it installed a trojan? I installed it as a regular user (not root), so I don't think much damage could be done. Then again, how would I know? I have iptables installed, but I'm not sure where it logs all its stuff  (most likely under /var/log/ somewhere)
Thanks. |
|
raillex
join:2001-06-26
Libertyville, IL | reply to Gary44
I downloaded Limewire last Tuesday and used it to
locate and download MP3s. Unfortunately, I discovered that the program not only installs Aureate and Cydoor spyware, but also a trojan called backdoor-g-1.
The backdoor-g-1 trojan is buried in a compressed file named
"ctywinstaller.exe" which is created during the Limewire installation process. The program then creates a file called "dlder.exe" in the Windows directory. Both of these were detected by Norton Antivirus.
Uninstalling the Limewire software using Windows add/remove programs actually REinstalled the trojan after I had removed the original and thought all was well.
This trojan is particularly pernicious in that it changed (or -shudder- allowed someone who subsequently hacked into my system from a remote location to change) one of my Norton Internet Security firewall rules to expressly permit inbound and outbound communications with BackOrifice. The mere possibility that someone might have successfully hacked into my system led me to replace all the files on my hard drive with a backup stored on a Norton Ghost CD.
Nasty stuff. |
|
| reply to Gary44
Just emailed them about this, curious if I'll get a response. |
|
| Removed
[text was edited by author 2001-12-30 00:55:14] |
|
 Lurkers incDon't Call Me Doink
join:2001-10-13
Seattle, WA | reply to Gary44
said by Gary44:
Trust me, it installed it. I did a newsgroup search and I see another post saying the same thing. It probably is something that has just cropped in the new version.
I was just reading this link about another file sharing program I never heard of called "Grokster" allegedly installing "dlder.exe" and wonder if it might be a new advertising component or just a coincidence?
Paul, |
|
| See here for another on Kazaa named DLDER.exe: »Kazaa + Trojan
--
With a wish of a happy new year.
[text was edited by author 2001-12-30 03:42:12] |
|
raillex
join:2001-06-26
Libertyville, IL | reply to Gary44
Hmmm...Norton reported the dlder.exe on my system as being infected with the backdoor-g-1 trojan. |
|
| reply to Gary44
Also check for c:\program files\adp\bin\adp.exe...
This is put on by LimeWire also, there's no option to disable it, and I think its responsible for the ad windows that popped up on my desktop without any warning at all (in IE windows), that is I was doing nothing on the computer and the ads popped up.
Not a trojan but a rather obtrusive piece of adware.
--
The more corrupt the State the more numerous the laws. |
|
Gary44
join:2000-03-18
Yorktown Heights, NY | If you haven't already, you should run Lavasoft's Ad-Aware. It found several items, including registry keys for the spyware "cydoor." Everything it discovered was installed by Limewire. |
|
| reply to Gary44
I don't think ad-aware detected adp, but then again one of my other progs might have detected the change to hklm\..\run and then I would have just deleted the files before I ran ad-aware. |
|
Gary44
join:2000-03-18
Yorktown Heights, NY | I just found this regarding DLDER.EXE:
»www.europe.f-secure.com/v-descs/dlder.shtml |
|
 WildcatboyInvisiblePremium,Mod
join:2000-10-30
Toronto, ON
kudos:2
Security Product V..
Security
| reply to Gary44
dlder.exe indeed is a Trojan. Not a spyware, a genuine backdoor Trojan. Did you guys download Kazaa and limewire from their official sites or through another link? As unfortunate as it sounds it's becoming acceptable for applications to include spyware but including a Trojan is not an acceptable practice. At least not yet.
--
You can catch the Devil, but you can't hold him long. |
|
