Virus:BDS/Delf.CO.13
Date discovered:04/08/2006
Type:Backdoor Server
In the wild:No
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Medium
Static file:Yes
File size:760.320 Bytes
MD5 checksum:0756d255c3bae4a5b691bc1c1e22a49b
VDF version:6.35.01.46 - Friday, August 4, 2006
IVDF version:6.35.01.46 - Friday, August 4, 2006

 General Method of propagation:
   • No own spreading routine
   •  Kaspersky: Backdoor.Win32.Delf.co
   •  Bitdefender: Backdoor.Delf.CO


Platforms / OS:
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Downloads files
   • Downloads malicious files
   • Registry modification
   • Steals information
   • Third party control

 Files It copies itself to the following location:
   • %PROGRAM FILES%\PViever\pviever.exe



It creates the following directory:
   • %PROGRAM FILES%\PViever\



The following file is created:

%PROGRAM FILES%\PViever\uin.txt This is a non malicious text file with the following content:
   • %current date%%number%

 Registry The following registry key is added in order to run the process after reboot:

– HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   • "PViever"=""%PROGRAM FILES%\PViever\pviever.exe" hide"



The following registry keys are added:

– HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\
   User Agent
– HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\
   User Agent\Post Platform
   • "(Default)"=""

– HKLM\SOFTWARE\Surf
   • "mhost"=%internet resources used by malware%
   • "uin"=%current date%%number%



The following registry keys are changed:

– HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\Prefixes
   Old value:
   • "www"="http://"
   New value:
   • "www"="http://htpp.ws?"

– HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix
   Old value:
   • "(Default)"="http://"
   New value:
   • "(Default)"="http://htpp.ws?"

 Backdoor Contact server:
One of the following:
   • http://neo**********
   • http://super**********
   • http://htp**********
   • http://xe**********
   • http://mirax.spb.ru**********

As a result it may send information and remote control could be provided. Besides, it periodically repeats the connection. This is done via the HTTP GET request on a PHP script.

 Stealing It tries to steal the following information:
– Passwords typed into 'password input fields'

 File details Programming language:
 The malware program was written in Delphi.

Description inserted by Teodor Onisor on Monday, August 7, 2006
Description updated by Teodor Onisor on Tuesday, August 8, 2006

Back . . . .