Virus:TR/PSW.Delf.CRW
Date discovered:30/12/2008
Type:Trojan
In the wild:Yes
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Medium
Static file:Yes
File size:485.376 Bytes
MD5 checksum:295cdcae63106be37fcc44c1649460df
IVDF version:7.01.01.49 - Tuesday, December 30, 2008

 General Method of propagation:
   • No own spreading routine


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Drops a file
   • Steals information


Right after execution the following information is displayed:


 Files The following files are created:

%home%\Application Data\Scan-Report.txt This is a non malicious text file with the following content:
   • %stolen information%

%home%\Application Data\.642_32bits_FiX_1.2-TemDono.exe Furthermore it gets executed after it was fully created.

 Backdoor Contact server:
The following:
   • ftp://aw8.awardspace.com

As a result it may send some information.

Sends information about:
    • Collected information described in stealing section

 Stealing It tries to steal the following information:
– Recorded passwords used by the AutoComplete function
– Email account information obtained from the registry key: HKCU\Software\Microsoft\Internet Account Manager\Accounts

– Passwords from the following programs:
   • Internet Explorer 6
   • Internet Explorer 7
   • Mozilla Firefox
   • Google Talk
   • Trillian
   • Microsoft Outlook
   • Steam
   • Messenger Live
   • MSN Messenger
   • Vitalwerks DUC

 File details Programming language:
 The malware program was written in Delphi.

Description inserted by Andrei Gherman on Friday, January 9, 2009
Description updated by Andrei Gherman on Friday, January 9, 2009

Back . . . .