Advertising Spyware: DLDER.EXE, Explorer.exe trojan (ClickTillUWin)

Your generous donations help keep this site online! ~~Click here~~ to support cexx.org.

Advertising Spyware: DLDER.EXE, Explorer.exe Trojan, ClickTillUWin

This spyware trojan consists of two executable files, dlder.exe and C:\Windows\explorer\Explorer.exe.

Infection Method
The dlder.exe spyware file, also functioning as a trojan dropper, is installed by Grokster (1.33), Bearshare (2.4.0b7), LimeWire (2.02), Net2Phone (unspecified versions) and KaZaA (unspecified versions). It may have also been installed by some versions of BonziBUDDY, but this has not been confirmed. The dlder.exe file is normally written to C:\Windows\dlder.exe. According to multiple sources, the user is asked whether or not they wish to install the "ClickTillUWin" component (carrier of the dlder.exe trojan), but the component may be installed even if the user chooses "NO".

Upon installation, the dlder.exe trojan first connects to the web site www.2001-007.com and transmits data, including a GUID, the user's IP address and browser version. According to ~~this site~~ (Spanish), the request is in the form: http://www.2001-007.com/index.asp?UserURL=GET+/&User_IP=127.0.0.1&userid=127&User_Browser=IE . This URL returns a numeric value that appears to count the number of unique installations.
The dlder.exe software then downloads and installs a trojan file named Explorer.exe from the same site, to C:\Windows\explorer\Explorer.exe (do not confuse this with the required Windows file explorer.exe, located at C:\Windows\explorer.exe). The dlder.exe file then places a Run key in the Registry so that the new Explorer.exe trojan runs at startup.

The dlder.exe trojan will also add a Registry key, HKLM\SOFTWARE\Games\Clicktilluwin. This contains values similar to the following:

ExDthigh = 29591850
ExDtlow = -1983408713

The exact numeric values differ for each installation and change each time dlder.exe is run. Dlder.exe may also add icons for Clicktilluwin.com, an online gambling game, to the desktop.

The trojan Explorer.exe file then connects to the Internet every few minutes to transfer the assigned GUID and lists of Web sites the user has visited since the last checkin.

This piece of spyware is being reported as a virus or Trojan Horse by some antivirus manufacturers. ~~Some~~ have since backed down and removed the file from their virus signatures, ~~others~~ have not.

Removal Procedure
Grokster, one of the companies that bundled the DLDER software, is offering an application that will remove it. You can get ~~DLDER Remove~~ from ~~Grokster's site~~.

Manual Removal:

Terminate Dlder.exe and ExPlorer.exe using Windows' End Task (CTRL-ALT-DEL) dialogue, if possible.
Delete the files: dlder.exe (normally in C:\windows) and the phony Explorer file (normally C:\Windows\explorer\Explorer.exe). Be sure you are not deleting Windows Explorer, which is located at C:\Windows\Explorer.exe.
(Optional) Remove these programs' Registry Run keys under HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

More Info

The ClickTillUWin product was distributed by Cydoor Technologies, makers of the Cydoor Ad-system adware products.

We were not able to reproduce Dlder/ExPlorer behaviour on our Windows 95 test system (POS).

Links
~~F-Secure Virus Information: Dlder~~
~~File Sharing Programs Carry Trojan Horse~~ (C|Net)
~~File-sharing software users unknowingly accepted tracking program~~ (SFGate)

"All trademarks are hereby acknowledged as the property of their respective owners." So don't even THINK about suing me :)