Virus:TR/Proxy.Delf.AA.2
Date discovered:28/11/2005
Type:Trojan
In the wild:No
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Low to medium
Static file:Yes
File size:14.848 Bytes
MD5 checksum:399620492b3e054b84caecae975aba95
VDF version:6.32.00.223

 General Method of propagation:
   • No own spreading routine


Alias:
   •  Kaspersky: Trojan-Proxy.Win32.Delf.aa


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Uses its own Email engine

 Files The following file is created:

%malware execution directory%\mm.pid



It tries to download a file:

– The location is the following:
   • http://wm.kanny**********.info/cgi-bin5/repeaterm.fcgi?n=%several random digits%&lastid=&rand=%%several random digits%.%several random digits%e-0001
This file may contain information related to the email spam function.

 Email It contains an integrated SMTP engine in order to send Spam emails. A direct connection with the destination server will be established. The characteristics are described in the following:


From:
Gathered addresses from the internet. Please do not assume that it was the senders intention to send this email to you. He might not know about his infection or might not even be infected at all. Furthermore it is possible that you will receive bounced emails that tell you that you are infected. This might also not be the case.


To:
– Gathered addresses from the internet

 Mailing Gather addresses:
It gathers addresses by contacting the following website:
   • http://wm.kanny**********.info/cgi-bin5/repeaterm.fcgi?n=%several random digits%&lastid=&rand=%%several random digits%.%several random digits%e-0001

 Backdoor Contact server:
The following:
   • http://wm.**********ciya.info/cgi-bin5/receiver.fcgi?id=%several random digits%&sent=%several random digits%&lost=&drop=&acc=

As a result it may send some information.

Sends information about:
    • Current malware status

 File details Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
   • UPX

Description inserted by Iulia Diaconescu on Monday, November 28, 2005
Description updated by Iulia Diaconescu on Wednesday, December 7, 2005

Back . . . .