Originally posted here by groovicus
I wish I did Tedob. The people that I help are usually tight lipped when I try to find out where they have been, so I have to guess the usual warez and porno sites.

Next time I run across one, I'll see if I can get a user to match up a time of infection with their browsing history.

I do have an installer for this though if you would like to play with it. It doesn't give alternate data streams though. I'm still trying to get ahold of one of those.
yeah unfortunatly most people in gov. seem to think if they got it from porn or warez they deserve it. but their are plenty of other sites that lure users with "freebies" like graphics or game related things that do this for a buck as well.

anything special about the D/Ler? i would like to take a look at it. run strings against it. probably have to decode the urls but yes i would like a look at it. every thing else is probably your typical trojan dropper...write to reg, download files register services etc.