Software makers have admitted that three popular file exchange
programs for some time came bundled with third-party "spyware"
software that was installed even if the user opted not to.
KaZaA, Grokster and LimeWire free peer-to-peer (P2P) file exchange
applications came with a program called ClickTillUWin, a client for
an online lottery. Several antivirus members have warned that
ClickTillUWin contains a Trojan horse program that sends
information to its maker.
A Trojan horse is different from a virus in that it typically does
not corrupt files or propagate itself. Trojan horses can, however,
install backdoor programs that allow hackers to gain access to a
computer.
The bundling of third-party software is a form of advertising often
used by providers of free software. A user, when installing the P2P
applications, can choose to install the bundled applications.
However, ClickTillUWin was installed even if the user opted out,
according to antivirus software vendor Symantec. Symantec refers to
the Trojan as the W32.DlDer.Trojan.
KaZaA, which claims its software has been downloaded almost 30
million times, said it bundled ClickTillUWin with its KaZaA Media
Desktop for a one week period in December. The bundling ended
because the contract expired, a spokesman said. He could not
specify the week.
Grokster admitted to bundling ClickTillUWin with its program for an
unspecified three-week period. The company offers a software tool
to remove it.
ClickTillUWin was also part of LimeWire 2.0.2. The company claims
it upgraded Limewire following user complaints.
ClickTillUWin consists of a file called "dlder.exe" which is placed
in the "c:\windows" directory, and downloads a file called
"explorer.exe" that is placed in a specially created
"c:\windows\explorer" folder. The program also adds a key to the
Windows registry so that it runs each time the system is turned on.
When running, the program sends a user ID and the user's IP address
to a Web site, Symantec said.
The Trojan has been defused because the Web site it is set to
transmit the information to is no longer online, said Marius van
Oers, a virus research engineer with Network Associates. The Trojan
apparently does not compromise the system in a way that makes it
vulnerable to hacker attacks. Most antivirus vendors hence rate the
Trojan "low risk."
The Trojan is detected by all major antivirus applications. Users
can also check to see if they have ClickTillUWin installed by
searching for the two files associated with the Trojan on their
system. The genuine file is located in the "c:\windows" folder, not
the "c:\windows\explorer\" folder.