Skip navigation
Menu
Collaboration>Email and Calendaring

Antivirus Vendors Warn of Zacker Worm and ClickTillUWin Trojan Horse

Antivirus software vendors warn that a new worm is spreading slowly across the Internet that attempts to delete various security software packages. The Maldad.G worm, aka Zacker, infects systems running Microsoft Outlook by spreading itself to names listed in a user's address book and by looking for email addresses in Web pages cached on a user's system.

Zacker comes as a message that might have any of a variety of subjects and contains a lengthy body of text, as seen in Panda Software's report about the new worm. Zacker attempts to delete numerous security-related directories on a system, including those that belong to ZoneAlarm firewall, Antiviral Toolkit Pro, F-Protect, eSafe, PC-Cillin, Quick Heal, FindVirus, McAfee Antivirus, and Norton Antivirus. The worm also deletes several types of files on an affected system, including HTML; Microsoft Word, Excel, and PowerPoint documents; Microsoft Access databases; Zip files; JPG images; and MPEG audio and video. Affected file extensions include .htm, .pps, .php, .html, .com, .bat, .mdb, .xls, .doc, .lnk, .ppt, .jpg, .mpeg, .ini, .dat, .zip, and .txt.

Antivirus software vendors also warn of a new Trojan horse embedded in three popular peer-to-peer file-sharing packages, including KaZaA Media Desktop, Grokster 1.3.3, and Limeware 2.0.2. Users have reportedly downloaded tens of millions of copies of the affected software packages. The Trojan horse is a program called ClickTillUWin (aka Dlder), which sends a user browser type and IP address to a Web site each time someone uses any of the affected software packages. However, the Web site collecting the information is now offline.

According to antivirus software vendor reports, the Trojan horse copies a program called dlder.exe to the user's Windows directory and then downloads a copy of a program called explorer.exe and places that program in a hidden directory named \Windows\Explorer. The Trojan horse also adds registry keys that cause the dlder.exe program to run each time the computer starts and creates several files on a user's computer, including:

  • C:\Program Files\Clicktilluwin\clicktilluwin.htm

  • C:\Program Files\Clicktilluwin\game.ico

  • C:\Windows\Start Menu\Programs\Clicktilluwin\clicktilluwin.lnk

  • C:\Windows\Desktop\Clicktilluwin.lnk

Even though the affected software packages might have offered users a chance to opt out of the ClickTillUWin software inclusion, the Trojan horse installs the ClickTillUWin components regardless of the user's choice. All three of the affected vendors have now removed the code from their distribution packages. Antivirus software vendors are now including detection and removal code for both the new Zacker worm and the new Trojan horse.
TAGS: Email and Calendaring Windows 7/8
Hide comments

More information about text formats

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish
Recommended Reading
zoom logo
Zoom Releases New AI-Powered Collaboration Platform—Zoom Workspace—Plus Other Updates
Mar 26, 2024
person working from home using smart phone and notebook computer
Monitoring Employee Productivity, Balance Surveillance with Transparency
Jan 03, 2024
zoom logo on screens of laptop and smartphone device.jpg
At Zoomtopia, Small Businesses Share Transformation Stories
Oct 12, 2023
zoom logo
Zoom Unveils Docs, Upgrades Contact Center Offerings
Oct 03, 2023