See below for Questions and Answers on this case.
If you don't want to run the DlDer program on your system, you can remove it by deleting both trojan components from your system. If these components can't be deleted (locked files) they should be deleted from pure DOS (in case of Windows 9x system) or renamed with different extensions (EXA for example) with immediate system restart (in case of Windows NT/2000/XP system).
A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:
Check for the latest database updates
First check if your F-Secure security program is using the latest updates, then try scanning the file again.
Submit a sample
After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.
Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.
Exclude a file from further scanning
If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.
Note: You need administrative rights to change the settings.
This two-component spyware-trojan was discovered in the end of December 2001. The DlDer spyware-trojan was supposed to be an on-line lottery game with an adware component that had to display advertisement and offers. But the way it was implemented and dropped to users' systems made anti-virus vendors consider it a spyware-trojan. Do note that DlDer is NOT a virus, as it doesn't spread.
The trojan being installed on a user's system downloads or upgrades its main component that connects to a website and reports user's ID (unique for each computer), IP address, web browser a user is using and URLs that a web browser opens.
The DlDer spyware-trojan was installed with LimeWire, Kazaa, Grokster and some other software packages that are mainly used for user-to-user file exchange purposes (now most of these packages are distributed without DlDer trojan components). The trojan was installed even if a user selected not to install any additional (spyware) components from those packages during setup phase or was just hiddenly dropped to a user's system.
The main component of the trojan is Explorer.exe file that is located in main Windows folder in \Explorer\ subfolder (do not mix with the original Windows' Explorer.exe that is located in main Windows folder, usually C:\Windows or C:\WinNT). This component is downloaded or upgraded by the second trojan component (downloader) that has the name 'DlDer.exe' and is located in main Windows folder.
The DlDer.exe trojan component when it is started after installation of the above listed software packages, downloads Explorer.exe file from a website and puts it to \Explorer\subfolder of main Windows folder. Then the trojan creates a startup key for the downloaded Explorer.exe file. On next system restart the Explorer.exe file is activated and it creates a startup key for DlDer.exe file (trojan components activate each other). Then Explorer.exe starts to regularly connect to a website and report user's ID (unique number), IP address, web browser and URLs that a user visits to that site.
A: On December the 28th, when we got a sample of it sent in by a customer.
A: A system admin from a large corporation had found DlDer.exe on one of his computer and had detected it created network activity. He was concerned about the program. As we researched the program and saw the spying activity, we added detection of the program, just like we do for any other spying/trojan type of programs we see. We did get several similar submissions from different countries.
A: For several reasons:
We believe detecting this program is in the best interest of our users.
However, we have talked to the vendor behind the software, and we believe they have operated in good faith. They have promised to change the intrusive functionality of the program in future versions.
A: Yes, it could. The technique where it monitors web site URLs accessed by the user is intrusive and dangerous. For example, if the user accesses a web page in an intranet or a password-protected site which stores user info to the URL, the user could be passing this data in unencrypted form over the internet to an unknown party.
Such URLs could be, for example:
http://intranet.company.com/intra/draft-press-releases/merger-with-ibm.doc http://www.shop.company.com/login.cgi?username=john&password=secret123 etc
DlDer also downloads exe files over an unprotected internet connection without any authentication, creating a possible security hole.
A: If they want to continue in this line of business, we suggest they develop a new version of their application. One which wouldn't force itself to be installed and which would notify the user of the monitoring it does. As this would be a new program, it wouldn't be detected by existing anti-virus programs, and if the program would behave better, there's no reason it would be detected in the future either.
A: No
A: You can still run DlDer, by simply excluding it from detection. This is done in F-Secure Anti-Virus by double-clicking on the "F" logo in system tray, selecting F-Secure Anti-Virus, selecting Real-Time Protection, checking "Exclude object" and choosing Select to browse to two files:
c:\windows\dlder.exe and c:\windows\explorer\explorer.exe
If you have any further questions, please e-mail them to: anti-virus-support@f-secure.com