Virus:TR/Dldr.CWS.C.2
Date discovered:20/09/2005
Type:Trojan
In the wild:No
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Medium
Static file:Yes
File size:11.776 Bytes
MD5 checksum:2bf55b808df2231a617e5a62a72fc704
VDF version:6.31.0.164

 General Method of propagation:
   • No own spreading routine


Aliases:
   •  Symantec: W32.Conycspa.G@mm
   •  Kaspersky: Email-Worm.Win32.Delf.i
   •  TrendMicro: TROJ_CHOPHAR.A
   •  Bitdefender: Win32.Worm.Delf.I


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows 2000
   • Windows XP


Side effects:
   • Steals information

 Files The following file is created:

– A file that contains collected email addresses:
   • %WINDIR%\inetdata\winelf.txt

 Mailing Search addresses:
It searches the following file for email addresses:
   • %HOME%\Local Settings\Application Data\Identities\%all
      directories%\Microsoft\Outlook Express\*.dbx

 Backdoor Contact server:
The following:
   • traff-**********.com/m/add.php?

As a result it may send some information. This is done via the HTTP GET request on a PHP script.


Sends information about:
    • Collected Email addresses

 File details Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
   • PE_Patch.PECompact; PecBundle; PECompact

Description inserted by Irina Boldea on Tuesday, September 20, 2005
Description updated by Irina Boldea on Wednesday, September 28, 2005

Back . . . .