Summary

See below for Questions & Answers on this case

Additional Details

This two-component spyware-trojan was discovered in the end of December 2001. The DlDer spyware-trojan was supposed to be an on-line lottery game with an adware component that had to display advertisement and offers. But the way it was implemented and dropped to users' systems made anti-virus vendors consider it a spyware-trojan. Do note that DlDer is NOT a virus, as it doesn't spread.

The trojan being installed on a user's system downloads or upgrades its main component that connects to a website and reports user's ID (unique for each computer), IP address, web browser a user is using and URLs that a web browser opens.

The DlDer spyware-trojan was installed with LimeWire, Kazaa, Grokster and some other software packages that are mainly used for user-to-user file exchange purposes (now most of these packages are distributed without DlDer trojan components). The trojan was installed even if a user selected not to install any additional (spyware) components from those packages during setup phase or was just hiddenly dropped to a user's system.

The main component of the trojan is Explorer.exe file that is located in main Windows folder in \Explorer\ subfolder (do not mix with the original Windows' Explorer.exe that is located in main Windows folder, usually C:\Windows or C:\WinNT). This component is downloaded or upgraded by the second trojan component (downloader) that has the name 'DlDer.exe' and is located in main Windows folder.

The DlDer.exe trojan component when it is started after installation of the above listed software packages, downloads Explorer.exe file from a website and puts it to \Explorer\ subfolder of main Windows folder. Then the trojan creates a startup key for the downloaded Explorer.exe file. On next system restart the Explorer.exe file is activated and it creates a startup key for DlDer.exe file (trojan components activate each other). Then Explorer.exe starts to regularly connect to a website and report user's ID (unique number), IP address, web browser and URLs that a user visits to that site.

REMOVAL

If you don't want to run the DlDer program on your system, you can remove it by deleting both trojan components from your system. If these components can't be deleted (locked files) they should be deleted from pure DOS (in case of Windows 9x system) or renamed with different extensions (EXA for example) with immediate system restart (in case of Windows NT/2000/XP system).

QUESTIONS & ANSWERS

Q: When did you first hear about this DlDer program?

A: On December the 28th, when we got a sample of it sent in by a customer.

Q: Why did you add detection of it?

A: A system admin from a large corporation had found DlDer.exe on one of his computer and had detected it created network activity. He was concerned about the program. As we researched the program and saw the spying activity, we added detection of the program, just like we do for any other spying/trojan type of programs we see. We did get several similar submissions from different countries.

Q: Why didn't you remove detection once you realised DlDer wasn't made by a teenage hacker but by a real US-based company?

A: For several reasons: 1) The program is installed to users system even if the user explicitly says he doesn't want it 2) The program is designed to be hidden 3) The program spies the user and sends confidential information to a private site 4) The program downloads additional unsigned executable code from the net and runs it

We believe detecting this program is in the best interest of our users.

However, we have talked to the vendor behind the software, and we believe they have operated in good faith. They have promised to change the intrusive functionality of the program in future versions.

Q: Could DlDer really cause damage?

A: Yes, it could. The technique where it monitors web site URLs accessed by the user is intrusive and dangerous. For example, if the user accesses a web page in an intranet or a password-protected site which stores user info to the URL, the user could be passing this data in unencrypted form over the internet to an unknown party.

Such URLs could be, for example:

 http://intranet.company.com/intra/draft-press-releases/merger-with-ibm.doc
 http://www.shop.company.com/login.cgi?username=john&password=secret123
 etc

DlDer also downloads exe files over an unprotected internet connection without any authentication, creating a possible security hole.

Q: What do you suggest the DlDer developers should do?

A: If they want to continue in this line of business, we suggest they develop a new version of their application. One which wouldn't force itself to be installed and which would notify the user of the monitoring it does. As this would be a new program, it wouldn't be detected by existing anti-virus programs, and if the program would behave better, there's no reason it would be detected in the future either.

Q: Have you received any complaints from users about detecting this program?

A: No

Q: If I don't find DlDer alarming and I'd like to run it, FSAV would prevent it. What should I do?

A: You can still run DlDer, by simply excluding it from detection. This is done in F-Secure Anti-Virus by double-clicking on the "F" logo in system tray, selecting F-Secure Anti-Virus, selecting Real-Time Protection, checking "Exclude object" and choosing Select to browse to two files:

 c:\windows\dlder.exe and
 c:\windows\explorer\explorer.exe

If you have any further questions, please e-mail them to: anti-virus-support@f-secure.com

[F-Secure Anti-Virus Research Team, December 28th, 2001 - January 7th, 2002]