Virus:TR/Dldr.Delf.awl
Date discovered:12/09/2006
Type:Trojan
Subtype:Downloader
In the wild:No
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Low to medium
Static file:Yes
File size:438.272 Bytes
MD5 checksum:9374f9c055c31a4b59528d0fdcff8295
VDF version:6.35.01.215
IVDF version:6.35.01.219 - Wednesday, September 13, 2006

 General Method of propagation:
   • No own spreading routine


Aliases:
   •  Kaspersky: Trojan-Downloader.Win32.Delf.awl
   •  F-Secure: Trojan-Downloader.Win32.Delf.awl
   •  Eset: Win32/TrojanDownloader.Delf.AWL


Platforms / OS:
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Downloads files
   • Registry modification

 Files It copies itself to the following locations:
   • %SYSDIR%\JVM0.exe
   • %ALLUSERSPROFILE%\start menu\programs\startup\JVM0.exe




It tries to download some files:

– The locations are the following:
   • http://cgv.king-jouet.com/images/gerador/celular/**********
   • http://www.server2.com/confirma/**********
   • http://www.server3.com/confirma/**********
   • http://www.server4.com/confirma/**********
   • http://www.server5.com/confirma/**********
It is saved on the local hard drive under: C:\servico.exe Furthermore this file gets executed after it was fully downloaded. At the time of writing this file was not online for further investigation.

– The location is the following:
   • http://www.geradorcelular.clic3.**********
At the time of writing it was an updated version of the malware itself.

 Registry The following registry key is added in order to run the process after reboot:

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "JVM0"="%SYSDIR%\JVM0.exe"

 File details Programming language:
 The malware program was written in Delphi.

Description inserted by Adriana Popa on Monday, October 16, 2006
Description updated by Andrei Gherman on Tuesday, October 17, 2006

Back . . . .