January 03, 2002, 2:06 PM — Three popular file-swap programs for some time came with third-party "spyware" software that was installed even if the user opted not to, the software makers admitted this week.
KaZaA, Grokster and LimeWire, free peer-to-peer (P-to-P) applications used by millions for exchanging files on the Internet, at one point came with a program called ClickTillUWin, a client for an online lottery. This client software contains a Trojan horse program that sends information to its maker, several vendors of antivirus software have warned.
A Trojan horse is different from a virus in that it typically doesn't corrupt files or propagate itself. Trojan horses can, however, install backdoor programs that let hackers gain access to a computer.
The bundling of third-party software is a form of advertising often used by providers of free software. A user, when installing the P-to-P applications, can choose to install the bundled applications. However, ClickTillUWin installed even if the user opted out, according to antivirus software vendor Symantec Corp. in a statement last week. Symantec refers to the Trojan as the W32.DlDer.Trojan.
KaZaA BV, which reports its software has been downloaded almost 30 million times, with more than 1.3 million downloads last week, said it bundled ClickTillUWin with its KaZaA Media Desktop for a one week period in December. The bundling ended because the contract to do so expired, a spokesman said. He could not specify the week.
Grokster Ltd. bundled ClickTillUWin with its program for about a three-week period, Grokster said in a statement on its Web site, without being more specific. The company offers a software tool to remove it.
ClickTillUWin was also part of LimeWire 2.0.2. That version was replaced on Jan.1 after user complaints, Lime Wire LLC said in a statement.
ClickTillUWin consists of a file called "dlder.exe" which is placed in the "c:\windows" directory or folder on the user's hard drive. It downloads a file called "Explorer.exe" that is placed in a specially created "c:\windows\explorer" folder. The program also adds a key to the Windows registry so that it runs each time the system is turned on. When running, the program sends a user ID and the user's IP (Internet Protocol) address to a certain Web site, Symantec said.
The Trojan has been defused because the Web site it is set to transmit the information to is no longer online, said Marius van Oers, a virus research engineer with Network Associates Inc. in Amsterdam. Also, the Trojan apparently does not compromise the system in a way that makes it vulnerable to hacker attacks. Most antivirus vendors hence rate the Trojan "low risk."