File Sharers Carry Trojan

File Sharers Carry Trojan File Sharers Carry Trojan

According to virus experts, some versions of Grokster, LimeWire, Kazaa, a beta of BearShare and some versions of Net2Phone contain W32.DlDer.Trojan.
It is a well known fact, that most file sharing software carries spyware. Although this is annoying to most users, it is met with understanding, since developers need to raise cash. The release of various spyware hunters however, like Ad-Aware has made it easy to remove such software.

The trojan included with the executable of the above utilities cannot be spotted by Ad-Aware. W32.DlDer.Trojan comes as part of the ClicktoWin ad package included with the software. Its most disturbing feature is that it actually asks you if you wish to install it or not. Whatever your choice may be, the Trojan will attach itself to your system.

Although this is not a destructive trojan and it will not damage your system in any way, it still will send some personal information from your PC. According to Symantec the Trojan appears to be sending some information (such as User-ID and IP address) to the following URL:

http:/ /

The nature of the information sent is suspected to be the usual marketing stuff, although some users have suggested that it may be information about our download habits that is being sent to the RIAA. It is easy to tie the legal action against Grokster Kazaa and Morpheus with the Trojan contained in them. Whatever the truth may be, most users will get rid of the Trojan now that it is out in the open.

LimeWire have no mention of this in their website, but the newest downloadable version of Limewire does not include the Trojan. This can be viewed as hypocricy since the company seems to be abandoning all users that have already installed previous versions.

The official Grokster press release about this matter reads as follows:

It has recently come to our attention that our previous Grokster installer for about a three week period contained a trojan known as W32.DlDer.Trojan. This trojan was apparently installed by one of our advertisers, ClickTilUWin. We have since removed the advertiser's installer and our downloads are trojan-free as of 1/1/2002.
Some of you may be wondering why this trojan was in our installer at all. We sometimes bundle advertiser applications with our installer in order to help pay for our costs here at Grokster. We are normally given an installer from the advertiser which we run during the installation of Grokster. We have no access to the source code of these third-party installers and so we rely on what our advertisers say these programs do. To the best of our knowledge, this particular advertiser simply placed a link to a free online lottery on the desktop. We were never informed that it installed or was a trojan. At that time, anti-virus software did not pick it up as such. Thus, the trojan was not detected by us. Now that we have learned of the trojan, we are doing everything we can to minimize its impact on our users. Even on the Symantec website, this is classed as a category 1 threat, which is the lowest level of threats possible and, per their website, means it "poses little threat to users.

Read on to find out how to spot and remove the Trojan from your system, if infected...

In an attempt to assist users Grokster have released a utility which completely removes the Trojan. You can download it here.
If you are fed up with downloads you can remove the Trojan manually using the following instructions:

1. Delete the hidden folder Explorer in the Windows folder and make sure everything in it is gone.
2. Delete the file Dlder.exe in the Windows directory.

If you wish to go one step further you can also edit the registry entries made by the Trojan (THIS IS ONLY FOR THE EXPERTS).
We strongly recommend that you back up the system registry before you make any changes. Incorrect changes to the registry could result in permanent data loss or corrupted files. Please make sure that you modify only the keys that are specified.

1. Click Start, and click Run. The Run dialog box appears.
2. Type regedit and then click OK. The Registry Editor opens.
3. Navigate to the following key:


4. In the right pane, delete any of the following values that exist:

dlder C:windowsexplorerExplorer.exe

dlder C:windowsdlder.exe

5. Navigate to and delete the following subkey:


6. Click Registry, and then click Exit.


File information

File name: trojan-remove.exe

File size:

Mime type: