TROJ_DELF.DW

Malware type: Trojan

Aliases: Trojan-Downloader.Win32.Delf.cb (Kaspersky), Downloader-OV (McAfee), Downloader.Trojan (Symantec), TR/Dldr.Delf.CB (Avira), Troj/Bizves-Gen (Sophos),

In the wild: No

Destructive: No

Language: English

Platform: Windows 95, 98, ME, NT, 2000, XP

Encrypted: No

Overall risk rating:

Reported infections:

Damage potential:

Medium

Distribution potential:

Low

Description: 

This Trojan downloads files from the Internet and then saves them in a target system.

The following are the URLs where the Trojan downloads files from:

  • http://vsbi.<BLOCKED>biz/counts/allnt.php
  • http://veiz.<BLOCKED>biz/counts/ncount.php
  • http://67.19.51<BLOCKED>.10/enter/aes.asp?user=stealth
  • http://www.vesbiz<BLOCKED>.biz/d/1346.exe
  • http://virgin-tgp<BLOCKED>.net/wioon.exe
  • http://selearch<BLOCKED>.biz/2.exe

    This Trojan downloads the following files and saves them in the Windows system folder:

    • com.exe
    • host32.exe
    • ide21201.vxd
    • mouse.exe
    • mwvlfqxx.exe
    • printer.exe
    • printer32.exe

    The file HOST32.EXE downloads and executes the files from the said URLs.

    It runs on Windows 95, 98, ME, NT, 2000, and XP.

  • For additional information about this threat, see:

    Description created: Sep. 27, 2004 2:14:26 PM GMT -0800
    Description updated: Dec. 6, 2004 12:19:48 PM GMT -0800


    TECHNICAL DETAILS


    Size of malware: 7,168 Bytes (compressed);
    12,288 Bytes (decompressed)

    Initial samples received on: Sep 27, 2004

    Details:

    Upon execution, this Trojan creates a copy of itself in the system folder. It downloads files from the Internet and then saves them in a target system.

    The following are the URLs where the Trojan downloads files from:

  • http://vsbi.<BLOCKED>biz/counts/allnt.php
  • http://veiz.<BLOCKED>biz/counts/ncount.php
  • http://67.19.51<BLOCKED>.10/enter/aes.asp?user=stealth
  • http://www.vesbiz<BLOCKED>.biz/d/1346.exe
  • http://virgin-tgp<BLOCKED>.net/wioon.exe
  • http://selearch<BLOCKED>.biz/2.exe

    This Trojan downloads the following files and saves them in the Windows system folder:

    • com.exe
    • host32.exe
    • ide21201.vxd
    • mouse.exe
    • mwvlfqxx.exe
    • printer.exe
    • printer32.exe

    The file HOST32.EXE downloads and executes the files from the said URLs.

    It creates the following registry entries to ensure its automatic execution at every Windows startup:

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
    CurrentVersion\Run
    ControlPanel = "%System%\host32.exe internat.dll,LoadKeyboardProfile"

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
    CurrentVersion\Run
    IST Service = "%Program Files%\ISTsvc\istsvc.exe"

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
    CurrentVersion\Run
    Windows SyncroAd = "%Program Files%\Windows SyncroAd\SyncroAd.exe"

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
    CurrentVersion\Run
    msbb = "c:\temp\msbb.exe"

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
    CurrentVersion\Run
    cuszkrea = "%System%\mwvlfqxx.exe"

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
    CurrentVersion\Run
    gjmt = "%Windows%\gjmt.exe"

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
    CurrentVersion\Run
    Power Scan = "%Program Files%\Power Scan\powerscan.exe"

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
    CurrentVersion\Run
    conscorr = "%Windows%\conscorr.exe"

    (Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 95, 98, and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP. %Program Files% is the default Program Files folder, usually C:\Program Files. %Windows% is the Windows folder, which is usually C:\Windows or C:\WINNT.)

     
     
     
    

    Analysis by: Zarestel Ferrer


  • SOLUTION


    Minimum scan engine version needed: 6.810

    Pattern file needed: 2.284.05

    Pattern release date: Sep 27, 2004


    Important note: The "Minimum scan engine" refers to the earliest Trend Micro scan engine version guaranteed to detect this threat. However, Trend Micro strongly recommends that you update to the latest version in order to get comprehensive protection. Download the latest scan engine here.

    Solution:

    Terminating the Malware Program

    This procedure terminates the running malware process.

    1. Open Windows Task Manager.
      � On Windows 95, 98, and ME, press
      CTRL%20ALT%20DELETE
      � On Windows NT, 2000, and XP, press
      CTRL%20SHIFT%20ESC, then click the Processes tab.
    2. In the list of running programs*, locate the following processes:
      • HOSTS32.EXE
      • ISTSVC.EXE
    3. Select the malware processes, then press either the End Task or the End Process button, depending on the version of Windows on your system.
    4. To check if the malware processes has been terminated, close Task Manager, and then open it again.
    5. Close Task Manager.

    *NOTE: On systems running Windows 95, 98, and ME, Windows Task Manager may not show certain processes. You can use a third party process viewer such as Process Explorer to terminate the malware process. Otherwise, continue with the next procedure, noting additional instructions.

    Removing Autostart Entries from the Registry

    Removing autostart entries from the registry prevents the malware from executing at startup.

    1. Open Registry Editor. Click Start>Run, type REGEDIT, then press Enter.
    2. In the left panel, double-click the following:
      HKEY_LOCAL_MACHINE>Software>Microsoft>
      Windows>CurrentVersion>Run
    3. In the right panel, locate and delete the following entries:
      • ControlPanel = "%System%\host32.exe internat.dll,LoadKeyboardProfile"
      • IST Service = "%Program Files%\ISTsvc\istsvc.exe"
      • Windows SyncroAd = "%Program Files%\Windows SyncroAd\SyncroAd.exe"
      • msbb = "c:\temp\msbb.exe"
      • cuszkrea = "%System%\mwvlfqxx.exe"
      • gjmt = "%Windows%\gjmt.exe"
      • Power Scan = "%Program Files%\Power Scan\powerscan.exe"
      • conscorr = "%Windows%\conscorr.exe"

      (Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 95, 98, and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP. %Program Files% is the default Program Files folder, usually C:\Program Files. %Windows% is the Windows folder, which is usually C:\Windows or C:\WINNT.)
    4. Close Registry Editor.

    NOTE: If you were not able to terminate the malware process as described in the previous procedure, restart your system.

    Additional Windows ME/XP Cleaning Instructions

    Users running Windows ME and XP must disable System Restore to allow full scanning of infected systems.

    Users running other Windows versions can proceed with the succeeding procedure sets.

    Running Trend Micro Antivirus

    Scan your system with Trend Micro antivirus and delete all files detected as TROJ_DELF.DW. To do this, Trend Micro customers must download the latest pattern file and scan their system. Other Internet users can use HouseCall, Trend Micro�s free online virus scanner.


    Trend Micro offers best-of-breed antivirus and content-security solutions for your corporate network, small and medium business, mobile device or home PC.