Virus: BDS/Delf.aow.29 Date discovered: 04/01/2007 Type: Backdoor Server In the wild: No Reported Infections: Low Distribution Potential: Low Damage Potential: Medium Static file: Yes File size: 1.249.280 Bytes VDF version: 6831705c64296963f7d11a0669ffecf7 IVDF version: 6.35.01.100 - Wednesday, August 16, 2006Engine version: 6.35.01.101
General Method of propagation: • No own spreading routine Aliases: • Kaspersky: Backdoor.Win32.Delf.aow • Grisoft: BackDoor.Generic3.HPD • Eset: Win32/Delf.NDN • Bitdefender: Backdoor.Delf.AOW Platforms / OS: • Windows 95 • Windows 98 • Windows 98 SE • Windows NT • Windows ME • Windows 2000 • Windows XP • Windows 2003 Side effects: • Downloads a file • Drops files • Registry modification • Steals information Files It copies itself to the following location: • %SYSDIR% \LSASS.exe It deletes the initially executed copy of itself. The following files are created: – %SYSDIR% \drivers\oreans32.sys Furthermore it gets executed after it was fully created. – %malware execution directory% \_DELET~1.BAT Furthermore it gets executed after it was fully created. This batch file is used to delete a file. Registry The following registry keys are added in order to load the services after reboot: – [HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32] • "NextInstance"=dword:00000001 – [HKLM\SYSTEM\CurrentControlSet\Services\oreans32\Security] • "Security"=%hex values% – [HKLM\SYSTEM\CurrentControlSet\Services\WinServerNamx\Security] • "Security"=%hex values% – [HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000] • "Service"="oreans32" "Legacy"=dword:00000001 "ConfigFlags"=dword:00000000 "Class"="LegacyDriver" "ClassGUID"="{8ECC055D-047F-11D1-A537-0000F8753ED1}" "DeviceDesc"="oreans32" – [HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000\ Control] • "*NewlyCreated*"=dword:00000000 "ActiveService"="oreans32" – [HKLM\SYSTEM\CurrentControlSet\Services\oreans32] • "Type"=dword:00000001 "Start"=dword:00000001 "ErrorControl"=dword:00000001 "ImagePath"="%SYSDIR% \drivers\oreans32.sys" "DisplayName"="oreans32" – [HKLM\SYSTEM\CurrentControlSet\Services\oreans32\Enum] • "0"="Root\\LEGACY_OREANS32\\0000" "Count"=dword:00000001 "NextInstance"=dword:00000001 – [HKLM\SYSTEM\CurrentControlSet\Services\WinServerNamx] • "Type"=dword:00000110 "Start"=dword:00000002 "ErrorControl"=dword:00000000 "ImagePath"="%SYSDIR% \LSASS -NetSata" "DisplayName"="Windows ServerNamx" "ObjectName"="LocalSystem" "Description"="%random character string% " Backdoor Contact server: The following: • http://www.ip.newying.com/********** This is done via the HTTP GET request on a PHP script. Stealing It tries to steal the following information: – Windows Product ID – It uses a network sniffer that checks for the following strings: • :$l • :.x Miscellaneous Mutex: It creates the following Mutex: • 200600227 Anti debugging It checks if the following program is running: • SoftIce File details Runtime packer: In order to aggravate detection and reduce size of the file it is packed with the following runtime packer: • InstallShield 2000 stub
Description inserted by Monica Ghitun on Thursday, January 4, 2007 Description updated by Monica Ghitun on Thursday, January 11, 2007
Back
.
.
.
.