This two-component spyware-trojan was discovered in the end of
December 2001. The DlDer spyware-trojan was supposed to be an
on-line lottery game with an adware
component that had to display advertisement and offers. But the way it was implemented and
dropped to users' systems made anti-virus vendors consider it a
spyware-trojan. Do note that DlDer is NOT a virus, as it
The trojan being installed on a user's system downloads or
upgrades its main component that connects to a website
and reports user's ID (unique for each computer), IP address, web
browser a user is using and URLs that a web browser opens.
The DlDer spyware-trojan was installed with LimeWire, Kazaa,
Grokster and some other software packages that are mainly used
for user-to-user file exchange purposes (now most of these
packages are distributed without DlDer trojan components). The
trojan was installed even if a user selected not to install any
additional (spyware) components from those packages during setup
phase or was just hiddenly dropped to a user's system.
The main component of the trojan is Explorer.exe file that is
located in main Windows folder in \Explorer\ subfolder (do not
mix with the original Windows' Explorer.exe that is located in
main Windows folder, usually C:\Windows or C:\WinNT). This
component is downloaded or upgraded by the second trojan
component (downloader) that has the name 'DlDer.exe' and is
located in main Windows folder.
The DlDer.exe trojan component when it is started after
installation of the above listed software packages, downloads
Explorer.exe file from a website and puts it to \Explorer\
subfolder of main Windows folder. Then the trojan creates a
startup key for the downloaded Explorer.exe file. On next system
restart the Explorer.exe file is activated and it creates a
startup key for DlDer.exe file (trojan components activate each
other). Then Explorer.exe starts to regularly connect to
a website and report user's ID (unique number), IP
address, web browser and URLs that a user visits to that site.
If you don't want to run the DlDer program on your system,
you can remove it by deleting both trojan components from your
system. If these components can't be deleted (locked files) they
should be deleted from pure DOS (in case of Windows 9x system) or
renamed with different extensions (EXA for example) with
immediate system restart (in case of Windows NT/2000/XP system).
QUESTIONS & ANSWERS
Q: When did you first hear about this DlDer program?
A: On December the 28th, when we got a sample of it sent in by
Q: Why did you add detection of it?
A: A system admin from a large corporation had found DlDer.exe on
one of his computer and had detected it created network activity.
He was concerned about the program. As we researched the program
and saw the spying activity, we added detection of the program,
just like we do for any other spying/trojan type of programs we
see. We did get several similar submissions from different countries.
Q: Why didn't you remove detection once you realised DlDer wasn't
made by a teenage hacker but by a real US-based company?
A: For several reasons:
1) The program is installed to users system even if the user explicitly says he doesn't want it
2) The program is designed to be hidden
3) The program spies the user and sends confidential information to a private site
4) The program downloads additional unsigned executable code from the net and runs it
We believe detecting this program is in the best interest of our users.
However, we have talked to the vendor behind the software, and we believe
they have operated in good faith. They have promised to change the intrusive
functionality of the program in future versions.
Q: Could DlDer really cause damage?
A: Yes, it could. The technique where it monitors web site URLs accessed
by the user is intrusive and dangerous. For example, if the user accesses
a web page in an intranet or a password-protected site which stores
user info to the URL, the user could be passing this data in unencrypted
form over the internet to an unknown party.
Such URLs could be, for example:
DlDer also downloads exe files over an unprotected internet connection without
any authentication, creating a possible security hole.
Q: What do you suggest the DlDer developers should do?
A: If they want to continue in this line of business, we suggest they
develop a new version of their application. One which wouldn't force
itself to be installed and which would notify the user of the monitoring
it does. As this would be a new program, it wouldn't be detected by
existing anti-virus programs, and if the program would behave better,
there's no reason it would be detected in the future either.
Q: Have you received any complaints from users about detecting this
Q: If I don't find DlDer alarming and I'd like to run it, FSAV would
prevent it. What should I do?
A: You can still run DlDer, by simply excluding it from detection. This
is done in F-Secure Anti-Virus by double-clicking on the "F" logo in system
tray, selecting F-Secure Anti-Virus, selecting Real-Time Protection, checking
"Exclude object" and choosing Select to browse to two files:
If you have any further questions, please e-mail them to:
[F-Secure Anti-Virus Research Team, December 28th, 2001 - January 7th, 2002]