Virus:BDS/Delf.afu.1
Date discovered:04/08/2006
Type:Backdoor Server
In the wild:No
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Medium
Static file:Yes
File size:812.544 Bytes
MD5 checksum:e6415f4beff18e5a4f045c6c022cfb0E
VDF version:6.35.01.46

 General Method of propagation:
   • No own spreading routine


Aliases:
   •  Symantec: Trojan.Upchan
   •  Mcafee: Uploader-AC
   •  Kaspersky: Backdoor.Win32.Delf.afu
   •  TrendMicro: TSPY_SUFIAGE.G
   •  Sophos: Troj/Delf-DDR
   •  VirusBuster: trojan Backdoor.Delf.RSW
   •  Bitdefender: Backdoor.Delf.SS


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Registry modification
   • Steals information
   • Third party control

 Files The following file is created:

– Non malicious file:
   • %HOME%\My Documents\My Pictures\%unknown% Re-birth[%current
      date% %current hour%] %current username%.jpg

 Registry The following registry key is added in order to run the process after reboot:

– [HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "SVCHOST" = "C:\WINDOWS:SVCHOST.exe"



The following registry key is added:

– [HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer]
   • "Count" = %hex number%



The following registry key is changed:

Disable Regedit and Task Manager:   New value:
   • "DisableTaskMgr" = dword:00000001

 Backdoor The following ports are opened:

%executed file% on TCP port 80 in order to provide an HTTP server.
%executed file% on a random TCP port in order to provide backdoor capabilities.


Contact server:
All of the following:
   • http://isp.2c**********
   • http://www.2c**********
   • http://v.isp.2c**********
   • http://tmp6.ch2.net/test/read.cgi/**********
   • http://tmp6.ch2.net/test/**********

As a result it may send information and remote control could be provided. Besides, it periodically repeats the connection. This is done via the HTTP GET request on a CGI script.
This is done via the HTTP POST method using a CGI script.


Sends information about:
    • Capture screen
    • Current malware status


Remote control capabilities:
    • Visit a website

 File details Programming language:
 The malware program was written in Delphi.

Description inserted by Daniel Constantin on Monday, August 7, 2006
Description updated by Daniel Constantin on Tuesday, August 8, 2006

Back . . . .