P2P software contained Trojan horse

Software makers have admitted that three popular file exchange programs for some time came bundled with third-party "spyware"...

Software makers have admitted that three popular file exchange programs for some time came bundled with third-party "spyware" software that was installed even if the user opted not to.

KaZaA, Grokster and LimeWire free peer-to-peer (P2P) file exchange applications came with a program called ClickTillUWin, a client for an online lottery. Several antivirus members have warned that ClickTillUWin contains a Trojan horse program that sends information to its maker.

A Trojan horse is different from a virus in that it typically does not corrupt files or propagate itself. Trojan horses can, however, install backdoor programs that allow hackers to gain access to a computer.

The bundling of third-party software is a form of advertising often used by providers of free software. A user, when installing the P2P applications, can choose to install the bundled applications. However, ClickTillUWin was installed even if the user opted out, according to antivirus software vendor Symantec. Symantec refers to the Trojan as the W32.DlDer.Trojan.

KaZaA, which claims its software has been downloaded almost 30 million times, said it bundled ClickTillUWin with its KaZaA Media Desktop for a one week period in December. The bundling ended because the contract expired, a spokesman said. He could not specify the week.

Grokster admitted to bundling ClickTillUWin with its program for an unspecified three-week period. The company offers a software tool to remove it.

ClickTillUWin was also part of LimeWire 2.0.2. The company claims it upgraded Limewire following user complaints.

ClickTillUWin consists of a file called "dlder.exe" which is placed in the "c:\windows" directory, and downloads a file called "explorer.exe" that is placed in a specially created "c:\windows\explorer" folder. The program also adds a key to the Windows registry so that it runs each time the system is turned on. When running, the program sends a user ID and the user's IP address to a Web site, Symantec said.

The Trojan has been defused because the Web site it is set to transmit the information to is no longer online, said Marius van Oers, a virus research engineer with Network Associates. The Trojan apparently does not compromise the system in a way that makes it vulnerable to hacker attacks. Most antivirus vendors hence rate the Trojan "low risk."

The Trojan is detected by all major antivirus applications. Users can also check to see if they have ClickTillUWin installed by searching for the two files associated with the Trojan on their system. The genuine file is located in the "c:\windows" folder, not the "c:\windows\explorer\" folder.

Read more on Hackers and cybercrime prevention