Antivirus Vendors Warn of Zacker Worm and ClickTillUWin Trojan Horse

Antivirus software vendors warn about a new worm and Trojan. The worm attempts to delete security software and the worm sends private info offsite.

ITPro Today

January 3, 2002

3 Min Read
ITPro Today logo in a gray background | ITPro Today

Antivirus software vendors warn that a new worm is spreading slowly across the Internet that attempts to delete various security software packages. The Maldad.G worm, aka Zacker, infects systems running Microsoft Outlook by spreading itself to names listed in a user's address book and by looking for email addresses in Web pages cached on a user's system.

Zacker comes as a message that might have any of a variety of subjects and contains a lengthy body of text, as seen in Panda Software's report about the new worm. Zacker attempts to delete numerous security-related directories on a system, including those that belong to ZoneAlarm firewall, Antiviral Toolkit Pro, F-Protect, eSafe, PC-Cillin, Quick Heal, FindVirus, McAfee Antivirus, and Norton Antivirus. The worm also deletes several types of files on an affected system, including HTML; Microsoft Word, Excel, and PowerPoint documents; Microsoft Access databases; Zip files; JPG images; and MPEG audio and video. Affected file extensions include .htm, .pps, .php, .html, .com, .bat, .mdb, .xls, .doc, .lnk, .ppt, .jpg, .mpeg, .ini, .dat, .zip, and .txt.

Antivirus software vendors also warn of a new Trojan horse embedded in three popular peer-to-peer file-sharing packages, including KaZaA Media Desktop, Grokster 1.3.3, and Limeware 2.0.2. Users have reportedly downloaded tens of millions of copies of the affected software packages. The Trojan horse is a program called ClickTillUWin (aka Dlder), which sends a user browser type and IP address to a Web site each time someone uses any of the affected software packages. However, the Web site collecting the information is now offline.

According to antivirus software vendor reports, the Trojan horse copies a program called dlder.exe to the user's Windows directory and then downloads a copy of a program called explorer.exe and places that program in a hidden directory named WindowsExplorer. The Trojan horse also adds registry keys that cause the dlder.exe program to run each time the computer starts and creates several files on a user's computer, including:

  • C:Program FilesClicktilluwinclicktilluwin.htm

  • C:Program FilesClicktilluwingame.ico

  • C:WindowsStart MenuProgramsClicktilluwinclicktilluwin.lnk

  • C:WindowsDesktopClicktilluwin.lnk

Even though the affected software packages might have offered users a chance to opt out of the ClickTillUWin software inclusion, the Trojan horse installs the ClickTillUWin components regardless of the user's choice. All three of the affected vendors have now removed the code from their distribution packages. Antivirus software vendors are now including detection and removal code for both the new Zacker worm and the new Trojan horse.

Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.

You May Also Like