Need help? Ask the community or hire an expert.
Go to Avira Answers
Date discovered:16/03/2006
In the wild:Yes
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Low to medium
Static file:Yes
File size:401.861 Bytes
MD5 checksum:e38c6443d96be261381f0Eaf58cc4389
VDF version:

 General Method of propagation:
   • No own spreading routine

   •  Kaspersky: Backdoor.Win32.Delf.adj

Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003

Side effects:
   • Downloads a malicious file
   • Registry modification

 Files It copies itself to the following location:
   • %PROGRAM FILES%\Internet Explorer\syssmss.exe

It tries to download a file:

– The location is the following:
It is saved on the local hard drive under: %temporary internet files%\index[1].asp

 Registry One of the following values is added in order to run the process after reboot:

–  [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "WinsSystem"="%PROGRAM FILES%\Internet Explorer\syssmss.exe"

 Backdoor The following port is opened:

%executed file% on a random UDP port in order to provide backdoor capabilities.

 Miscellaneous Mutex:
It creates the following Mutex:
   • Hey, this is unicough single instance test

 File details Programming language:
The malware program was written in Delphi.

Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
   • Neolite 2.0

Description inserted by Victor Tone on Thursday, March 16, 2006
Description updated by Victor Tone on Thursday, March 16, 2006

Back . . . .