English
Log in
Search
The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service. Internet threat level: 1

HomeDescriptionsBackdoor.Win32.Delf.ugd

Backdoor.Win32.Delf.ugd

Detected Apr 29 2010 20:43 GMT
Released Apr 30 2010 02:53 GMT
Published May 19 2010 10:58 GMT

Technical Details
Payload
Removal instructions

Technical Details

This Trojan provides a malicious user with remote access to the infected computer. It is a Windows application (PE EXE file). It is 365 568 bytes in size. It is written in Delphi.

Installation

Once launched, the Trojan extracts the following files from its body to the system directory: 

%System%\kboem32.datbytes
%System%\crt4.dllbytes, detected by Kaspersky Anti-Virus as Backdoor.Win32.Delf.ugd
%System%\kbdatat4.dllbytes
%System%\kbddta.dllbytes, detected by Kaspersky Anti-Virus as Trojan.Win32.Delf.wtp
%System%\kbsnd32.dllbytes, detected by Kaspersky Anti-Virus as Trojan.Win32.Delf.wtr
%System%\kbupdate.dllbytes, detected by Kaspersky Anti-Virus as Trojan.Win32.Delf.wto
The malware then launches the following file for execution: 
%System%\svchost.exe
and injects the malicious functionality of the following library into that process's address space: 
%System%\crt4.dll
For its malicious library "kbupdate.dll" to launch automatically each time the system is rebooted and also upon exiting the system, the Trojan creates the following key in the system registry: 
[HKLM\Software\Microsoft\Windows NT\CurrentVersion\
Winlogon\Notify\kbupdate]
"DllName" = "kbupdate.dll"
"Startup" = "WinlogonStartupEvent"
"Logoff" = "WinlogonLogoffEvent"
"Shutdown" = "WinlogonLogoffEvent"
"Asynchronous" = 0x00000001
"Impersonate" = 0x00000000


Payload

The malicious program contains a built-in keylogger which saves the keylog in the encrypted file: 

%System%\kboem32.dat
It launches a hidden HTTP proxy server on a random TCP port on the user's computer.

It contains a built-in Gnutella P2P protocol client, by means of which it enters this peer-to-peer network and can download files from here to the user's computer, saving them under different names in the %System% folder. The backdoor also enables the malicious users to download files chosen by them from the infected computer via the P2P network.

The backdoor establishes a connection with the following address: 

89.149.***.46:8014
from which it receives a script in an encrypted form, which determines the backdoor's subsequent actions in the system.


Removal instructions

If your computer does not have an antivirus, and is infected by this malicious program, follow the instructions below to delete it:

  1. Delete the original Trojan file (its location will depend on how the program originally penetrated the infected computer).

  2. Delete the following system registry key: 
    [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\kbupdate]
Delete the following files:
%System%\kboem32.dat
%System%\crt4.dl 
%System%\kbdatat4.dll
%System%\kbddta.dll
%System%\kbsnd32.dll
%System%\kbupdate.dll
  3. Perform a full scan of the computer using Kaspersky Anti-Virus with up-to-date antivirus databases (download a trial version).



Print
Bookmark and Share
Share
Trojans
Backdoor

Backdoors are designed to give malicious users remote control over an infected computer. In terms of functionality, Backdoors are similar to many administration systems designed and distributed by software developers.

These types of malicious programs make it possible to do anything the author wants on the infected computer: send and receive files, launch files or delete them, display messages, delete data, reboot the computer, etc.

The programs in this category are often used in order to unite a group of victim computers and form a botnet or zombie network. This gives malicious users centralized control over an army of infected computers which can then be used for criminal purposes.

There is also a group of Backdoors which are capable of spreading via networks and infecting other computers as Net-Worms do. The difference is that such Backdoors do not spread automatically (as Net-Worms do), but only upon a special “command” from the malicious user that controls them.


Other versions
Backdoor.Win32.Delf.akw
Backdoor.Win32.Delf.aow
Backdoor.Win32.Delf.duc
Backdoor.Win32.Delf.vb

Aliases

Backdoor.Win32.Delf.ugd (Kaspersky Lab) is also known as:

  • Trojan: Generic BackDoor!cqo (McAfee)
  • Mal/Generic-L (Sophos)
  • Trj/Downloader.MDW (Panda)
  • Trojan:Win32/Lukicsel.E (MS(OneCare))
  • BackDoor.Siggen.24426 (DrWeb)
  • Win32/Lukicsel.B trojan (Nod32)
  • Backdoor.Generic.322612 (BitDef7)
  • Backdoor.Delf!3sRMZvobzlU (VirusBuster)
  • Win32:Lukicsel [Trj] (AVAST)
  • Trojan.Win32.Lukicsel (Ikarus)
  • Generic17.BLSN (AVG)
  • Trojan Horse (NAV)
  • W32/Lukicsel.B (Norman)
  • Trojan.Win32.Generic.52018490 (Rising)
  • Backdoor.Win32.Delf.ugd [AVP] (FSecure)
  • BKDR_DELF.FIN (TrendMicro)
  • Trojan.Win32.Generic!BT (Sunbelt)
  • Backdoor.Delf!3sRMZvobzlU (VirusBusterBeta)

© 1997-2012 Kaspersky Lab ZAO. All Rights Reserved.
Industry-leading Antivirus Software.
Registered trademarks and service marks are the property of their respective owners.

kaspersky.com

Products

eStore

Threats

Downloads

Support

Partners

About Us

Search

securelist.com

Threats

Analysis

Blog

Descriptions

Glossary

RSS feeds

Contacts

Search