Need help? Ask the community or hire an expert.
Go to Avira Answers
Virus:TR/Spy.Delf.IG
Date discovered:13/03/2006
Type:Trojan
In the wild:No
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Low to medium
Static file:Yes
File size:18.432 Bytes
MD5 checksum:d9a25ffe0535d3d8dff007294404fd3c
VDF version:6.34.00.32

 General Method of propagation:
   • No own spreading routine


Aliases:
   •  Kaspersky: Trojan-Spy.Win32.Delf.ig
   •  Bitdefender: Trojan.Delf.AY


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Drops a file
   • Uses its own Email engine

 Files The following file is created:

– Non malicious file:
   • %malware execution directory%\mm.pid

 Email It contains an integrated SMTP engine in order to send Spam emails. A direct connection with the destination server will be established. The characteristics are described in the following:


From:
The sender address is spoofed.
Gathered addresses from the internet. Please do not assume that it was the senders intention to send this email to you. He might not know about his infection or might not even be infected at all. Furthermore it is possible that you will receive bounced emails that tell you that you are infected. This might also not be the case.
The sender of the email is the following:
   • %random character string%@hotmail.com


To:
– Gathered addresses from the internet.


Subject:
The following:
   • %gathered from the internet%



Body:
– Contains HTML code.

 
The body of the email is the following:
   • %gathered from the internet%

 Mailing Gather addresses:
It gathers addresses by contacting the following website:
   • wm.xvideobase.info/cgi-bin5/**********

 Backdoor Contact server:
The following:
   • wm.xvideobase.info/cgi-bin5/**********

As a result it may send some information. This is done via the HTTP GET request on a CGI script.


Sends information about:
    • Current malware status

 File details Programming language:
The malware program was written in MS Visual C++.


Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
   • PECompact

Description inserted by Daniel Constantin on Monday, March 13, 2006
Description updated by Daniel Constantin on Wednesday, March 15, 2006

Back . . . .