Virus:TR/Spy.Delf.ig.13.A
Date discovered:14/12/2005
Type:Trojan
In the wild:No
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Low to medium
Static file:Yes
File size:14.848 Bytes
MD5 checksum:85be766a7d8e147ffb6588b669166754
VDF version:6.33.00.25

 General Method of propagation:
   • No own spreading routine


Aliases:
   •  Mcafee: Spam-Maxy
   •  Kaspersky: Trojan-Proxy.Win32.Delf.an


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP


Side effects:
   • Drops a file
   • Uses its own Email engine

 Files The following file is created:

– Non malicious file:
   • %malware execution directory%\mm.pid

 Email It contains an integrated SMTP engine in order to send Spam emails. A direct connection with the destination server will be established. The characteristics are described in the following:


From:
The sender address is spoofed.
Gathered addresses from the internet. Please do not assume that it was the senders intention to send this email to you. He might not know about his infection or might not even be infected at all. Furthermore it is possible that you will receive bounced emails that tell you that you are infected. This might also not be the case.


To:
– Gathered addresses from the internet.

 Mailing Gather addresses:
It gathers addresses by contacting the following website:
   • wm.kom**********ka.info/cgi-bin5/repeater3.fcgi

 Backdoor Contact server:
All of the following:
   • wm.kom**********ka.info/cgi-bin5/repeater3.fcgi
   • wm.kom**********ka.info/cgi-bin5/receiver.fcgi

As a result it may send information and remote control could be provided. Besides, it periodically repeats the connection. This is done via the HTTP GET request on a CGI script.


Sends information about:
    • Current malware status


Remote control capabilities:
    • Send emails
    • Spam related

 Miscellaneous String:
Furthermore it contains the following string:
   • Portions Copyright (c) 1999,2003 Avenger by NhT

 File details Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
   • UPX

Description inserted by Daniel Constantin on Monday, January 9, 2006
Description updated by Daniel Constantin on Monday, January 9, 2006

Back . . . .