Нужен совет? Обратитесь за помощью к сообществу или специалистам.
Перейти к Avira Answers
Virus:TR/Proxy.Delf.CA
Date discovered:26/02/2007
Type:Worm
In the wild:Yes
Reported Infections:Low
Distribution Potential:Medium
Damage Potential:Medium
Static file:Yes
File size:28.833 Bytes
MD5 checksum:916ede7e54c83f11f0f99f7e53178a3b
IVDF version:6.37.01.162 - Monday, February 26, 2007

 General Methods of propagation:
   • Local network
   • Mapped network drives


Aliases:
   •  Mcafee: W32/Fujacks
   •  Kaspersky: Worm.Win32.Delf.bd
   •  F-Secure: Worm.Win32.Delf.bd
   •  Sophos: W32/Fujacks-AU
   •  Grisoft: Worm/Delf.AEP
   •  Eset: Win32/Fujacks.O
   •  Bitdefender: Win32.Worm.Fujacks.J


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Disable security applications
   • Downloads files
   • Drops files
   • Lowers security settings
   • Registry modification

 Files It copies itself to the following locations:
   • %SYSDIR%\drivers\spoclsv.exe
   • %drive%\setup.exe



Sections are added to the following files.
– To: %all directories%\*.htm With the following contents:
   • iframe src=http://www.krvkr.com/********** width=0 height=0 /iframe

This renames a file after system reboot.
– To: %all directories%\*.html With the following contents:
   • iframe src=http://www.krvkr.com/********** width=0 height=0 /iframe

– To: %all directories%\*.asp With the following contents:
   • iframe src=http://www.krvkr.com/********** width=0 height=0 /iframe

– To: %all directories%\*.php With the following contents:
   • iframe src=http://www.krvkr.com/********** width=0 height=0 /iframe

– To: %all directories%\*.jsp With the following contents:
   • iframe src=http://www.krvkr.com/********** width=0 height=0 /iframe

– To: %all directories%\*.aspx With the following contents:
   • iframe src=http://www.krvkr.com/********** width=0 height=0 /iframe




The following files are created:

%all directories%\Desktop_.ini This is a non malicious text file with the following content:
   • %current date%

%drive%\autorun.inf This is a non malicious text file with the following content:
   • %code that runs malware%




It tries to download a file:

The location is the following:
   • http://www.baidu8.org/**********/xm.txt
This file may contain further download locations and might serve as source for new threats.

 Registry The following registry key is continuously in an infinite loop added in order to run the process after reboot.

  [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   • %SYSDIR%\drivers\spoclsv.exe



The values of the following registry key are removed:

–  [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • RavTask
   • KvMonXP
   • kav
   • KAVPersonal50
   • McAfeeUpdaterUI
   • Network Associates Error Reporting Service
   • ShStatEXE
   • YLive.exe
   • yassistse



The following registry key is changed:

Various Explorer settings:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
   Folder\Hidden\SHOWALL]
   Old value:
   • CheckedValue = %user defined settings%
   New value:
   • CheckedValue = 0

 Network Infection In order to ensure its propagation the malware attemps to connect to other machines as described below.


It uses the following login information in order to gain access to the remote machine:

The following list of usernames:
   • Administrator
   • Guest
   • admin
   • Root

The following list of passwords:
   • 1234; password; 6969; harley; 123456; golf; pussy; mustang; 1111;
      shadow; 1313; fish; 5150; 7777; qwerty; baseball; 2112; letmein;
      12345678; 12345; ccc; admin; 5201314; qq520; 123; 1234567; 123456789;
      654321; 54321; 111; 000000; abc; 11111111; 88888888; pass; passwd;
      database; abcd; abc123; sybase; 123qwe; server; computer; 520; super;
      123asd; ihavenopass; godblessyou; enable; 2002; 2003; 2600; alpha;
      110; 111111; 121212; 123123; 1234qwer; 123abc; 007; aaa; patrick; pat;
      administrator; root; sex; god; fuckyou; fuck; test; test123; temp;
      temp123; win; asdf; pwd; qwer; yxcv; zxcv; home; xxx; owner; login;
      Login; pw123; love; mypc; mypc123; admin123; mypass; mypass123; 901100



IP address generation:
It creates random IP addresses while it keeps the first three octets from its own address. Afterwards it tries to establish a connection with the created addresses.


Infection process:
The downloaded file is stored on the compromised machine as: %all shared folders%\GameSetup.exe


Slow down:
It creates the following number of infection threads: 9
Depending on your bandwidth you might notice a fall in your network speed. As the network activity for this malware is medium you might not take notice of this if you have a broadband connection.
You might also note a slight slow down due to the multiple network threads created.

 Process termination List of processes that are terminated:
   • Mcshield.exe; VsTskMgr.exe; naPrdMgr.exe; UpdaterUI.exe; TBMon.exe;
      scan32.exe; Ravmond.exe; CCenter.exe; RavTask.exe; Rav.exe;
      Ravmon.exe; RavmonD.exe; RavStub.exe; KVXP.kxp; KvMonXP.kxp;
      KVCenter.kxp; KVSrvXP.exe; KRegEx.exe; UIHost.exe; TrojDie.kxp;
      FrogAgent.exe; Logo1_.exe; Logo_1.exe; Rundl132.exe

Processes containing one of the following window titles are terminated:
   • Symantec AntiVirus
   • Duba
   • Windows
   • esteem procs
   • System Safety Monitor
   • Wrapped gift Killer
   • Winsock Expert


List of services that are disabled:
   • sharedaccess; RsCCenter; RsRavMon; RsCCenter; RsRavMon; KVWSC;
      KVSrvXP; KVWSC; KVSrvXP; AVP; kavsvc; McAfeeFramework; McShield;
      McTaskManager; McAfeeFramework; McShield; McTaskManager; navapsvc;
      wscsvc; KPfwSvc; SNDSrvc; ccProxy; ccEvtMgr; ccSetMgr; SPBBCSvc;
      Symantec Core LC; NPFMntor; MskService; FireSvc

 File details Programming language:
The malware program was written in Delphi.


Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
   • FSG

Описание добавил Andrei Gherman в(о) четверг, 19 июня 2008 г.
Описание обновил Andrei Gherman в(о) четверг, 19 июня 2008 г.

Назад . . . .
https:// Это окно зашифровано для вашей безопасности.