English
Log in
Search
The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service. Internet threat level: 1

HomeDescriptionsBackdoor.Win32.Delf.aow

Backdoor.Win32.Delf.aow

Detected Jun 25 2007 11:43 GMT
Released Jun 25 2007 11:43 GMT
Published Apr 11 2008 13:09 GMT

Manual description Auto description
This description was created by experts at Kaspersky Lab. It contains the most accurate information available about this program.

Technical Details
Payload
Removal instructions

Technical Details

This malicious program provides a remote user with access to the victim machine. It is a Windows PE EXE file. It is approximately 200KB in size. It is packed using UPX. The unpacked file is approximately 518KB in size. It is written in Borland Delphi.

Installation

Once launched, the backdoor checks to see if the name of its file coincides with the following string:

"IEXPLORE.EXE"

If this is not the case, the backdoor will check if the file is a copy of a malicious program located in the Windows system directory in a file called "spoolsn.exe":

%System%\spoolsn.exe

If there is no file called "spoolsn.exe" present on the system, the backdoor checks for a file called "klick.sys" in the "drivers" subfolder of the Windows system directory:

%System%\drivers\klick.sys

If this file is present on the system, a batch file called "batset.bat" will be created in the Windows system directory and launched for execution:

%System%\batset.bat

This file is 87 bytes in size, and will be detected by Kaspersky Anti-Virus as Trojan.BAT.KillAV.ec

The backdoor then creates a copy of its body in the "spoolsn.exe" file in the Windows system directory:

%System%\spoolsn.exe

and ascribes "hidden" and "system" attributes to this file.

The backdoor uses Services Management to delete the service with the following name:

Windows_Serve

After a one second pause, it will register a copy of the malicious file as a system service which will run automatically. The name of the service is as follows:

Windows_Serve

The name that will be displayed is as follows:

Windws_Server

And the description is as follows:

Wndows_Serve

The copy of the malicious file will then be launched:

%System%\spoolsn.exe

A batch file called "Deleteme.bat" will also be created and launched in the Windows system directory. This file will delete both itself and the original copy of the malicious program.

%System%\Deleteme.bat

The copy of the malicious program will then cease running.


Payload

The backdoor provides a remote malicious user with the ability to manage the victim machine by establishing a TCP connection to port 8820 on a remote server called "asw412.3***.org":

asw412.3***.org:8820

The remote malicious user will then be able to:

  1. get information about the victim machine including: computer name; list of network connections; type of operating system; processing power; amount of RAM This data is saved to a log-file called "DDOSBZ.TXT" in the Windows system directory:
    %System%\DDOSBZ.TXT
  2. delete the malicious program from the system;
  3. log off, shut down or reboot the infected system;
  4. use the victim machine as a proxy serve;
  5. conduct a variety of DDoS attacks;
  6. download and save files to the Windows system directory under randomly generated names, and then launch these files;
  7. set the Internet Explorer home page;
  8. set various security policies;
  9. autorun malicious programs.

It is possible to determine if a copy of the malicious program is running by the presence of a process called "spoolsn.exe" in the list of processes; this is a hidden copy of Internet Explorer ("iexplore.exe").

The backdoor also disables the autorunning of files on logical disks by setting the following system registry parameter value:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoDriveTypeAutoRun" = 0x00000000

It then creates copies of the malicious file, called "spoolsn.exe" in the root directories of all logical disks:

.\spoolsn.exe

It also creates files called "AutoRun.inf" which are 29 bytes in size, and which will autorun the copies of the malicious file.


Removal instructions

If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:

  1. Delete files called "AutoRun.inf" from the root directories of all logical disks.
  2. Use Task Manager to terminate the original Trojan process and the processes listed below:
    spoolsn.exe
    iexplore.exe
  3. Delete the original malicious file (its location will depend on how the program originally penetrated the victim machine). Delete all files called "spoolsn.exe" from the Windows system directory and from the root directories of all logical disks:
    %System%\spoolsn.exe
    .\spoolsn.exe
  4. Delete the following system registrykey:
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Windows_Serve]
  5. Delete the following files:
    %System%\Deleteme.bat
    %System%\batset.bat
  6. Update your antivirus databases and perform a full scan of the computer (download a trial version of Kaspersky Anti-Virus).


Print
Bookmark and Share
Share
Trojans
Backdoor

Backdoors are designed to give malicious users remote control over an infected computer. In terms of functionality, Backdoors are similar to many administration systems designed and distributed by software developers.

These types of malicious programs make it possible to do anything the author wants on the infected computer: send and receive files, launch files or delete them, display messages, delete data, reboot the computer, etc.

The programs in this category are often used in order to unite a group of victim computers and form a botnet or zombie network. This gives malicious users centralized control over an army of infected computers which can then be used for criminal purposes.

There is also a group of Backdoors which are capable of spreading via networks and infecting other computers as Net-Worms do. The difference is that such Backdoors do not spread automatically (as Net-Worms do), but only upon a special “command” from the malicious user that controls them.


Other versions
Backdoor.Win32.Delf.akw
Backdoor.Win32.Delf.duc
Backdoor.Win32.Delf.ugd
Backdoor.Win32.Delf.vb

Aliases

Backdoor.Win32.Delf.aow (Kaspersky Lab) is also known as:

  • IM-Worm.Win32.Slaper.aow (Kaspersky Lab)
  • VirTool.Win32.Agent.aow (Kaspersky Lab)
  • Exploit.JS.Galepo.aow (Kaspersky Lab)
  • IM-Flooder.Win32.MiniKeyLog.aow (Kaspersky Lab)
  • Constructor.Win32.Vipdataend.aow (Kaspersky Lab)
  • Trojan: generic!bg.zi (McAfee)
  • Mal/Behav-058 (Sophos)
  • Trojan.Delf-983 (ClamAV)
  • Trj/Downloader.MDW (Panda)
  • W32/Banload.A.gen!Eldorado (FPROT)
  • Backdoor:Win32/Hupigon.EA (MS(OneCare))
  • Trojan.DownLoader.46913 (DrWeb)
  • Win32/Hupigon trojan (Nod32)
  • Trojan.Inject.GO (BitDef7)
  • Win32:Delf-DNR [Trj] (AVAST)
  • Trojan-Dropper.Delf (Ikarus)
  • TR/ATRAPS.Gen (AVIRA)
  • W32/Obfuscated.G!genr (Norman)
  • Backdoor.Win32.Gpigeon.vu (Rising)
  • Backdoor.Win32.Delf.aow [AVP] (FSecure)
  • BKDR_Generic (TrendMicro)

© 1997-2012 Kaspersky Lab ZAO. All Rights Reserved.
Industry-leading Antivirus Software.
Registered trademarks and service marks are the property of their respective owners.

kaspersky.com

Products

eStore

Threats

Downloads

Support

Partners

About Us

Search

securelist.com

Threats

Analysis

Blog

Descriptions

Glossary

RSS feeds

Contacts

Search