This spyware trojan consists of two executable files, dlder.exe and C:\Windows\explorer\Explorer.exe.
The dlder.exe spyware file, also functioning as a trojan dropper, is installed by Grokster (1.33), Bearshare (2.4.0b7), LimeWire (2.02), Net2Phone (unspecified versions) and KaZaA (unspecified versions). It may have also been installed by some versions of BonziBUDDY, but this has not been confirmed. The dlder.exe file is normally written to C:\Windows\dlder.exe. According to multiple sources, the user is asked whether or not they wish to install the "ClickTillUWin" component (carrier of the dlder.exe trojan), but the component may be installed even if the user chooses "NO".
Upon installation, the dlder.exe
trojan first connects to the web site www.2001-007.com and transmits data,
including a GUID, the user's IP address and browser version. According
site (Spanish), the request is in the form: http://www.2001-007.com/index.asp?UserURL=GET+/&User_IP=127.0.0.1&userid=127&User_Browser=IE
. This URL returns a numeric value that appears to count the number of
The dlder.exe software then downloads and installs a trojan file named Explorer.exe from the same site, to C:\Windows\explorer\Explorer.exe (do not confuse this with the required Windows file explorer.exe, located at C:\Windows\explorer.exe). The dlder.exe file then places a Run key in the Registry so that the new Explorer.exe trojan runs at startup.
The dlder.exe trojan will also add a Registry key, HKLM\SOFTWARE\Games\Clicktilluwin. This contains values similar to the following:
The trojan Explorer.exe file then connects to the Internet every few minutes to transfer the assigned GUID and lists of Web sites the user has visited since the last checkin.
This piece of spyware is
being reported as a virus or Trojan Horse by some antivirus manufacturers.
have since backed down and removed the file from their virus signatures,
Grokster, one of the companies that bundled the DLDER software, is offering an application that will remove it. You can get
Remove from Grokster's
The ClickTillUWin product
was distributed by Cydoor Technologies, makers of the Cydoor
Ad-system adware products.
We were not able to reproduce Dlder/ExPlorer behaviour on our Windows 95 test system (POS).
Virus Information: Dlder
Sharing Programs Carry Trojan Horse (C|Net)
software users unknowingly accepted tracking program (SFGate)
"All trademarks are hereby
acknowledged as the property of their respective owners." So don't even
THINK about suing me :)