Internet threat level: 1
Home→Descriptions→Trojan-Dropper.Win32.Delf.grq
Trojan-Dropper.Win32.Delf.grq
| Detected | Sep 16 2010 10:53 GMT |
| Released | Sep 16 2010 17:06 GMT |
| Published | Oct 12 2010 14:03 GMT |
Payload
Removal instructions
Technical Details
This Trojan is designed to install and launch other programs on the victim machine without the knowledge or consent of the user. It is a Windows application (PE EXE file). It is 556 544 bytes in size. It is packed using ASProtect. The unpacked file is approximately 915 KB in size. It is written in Delphi.
Payload
Once launched, the Trojan extracts the following files from its body to the current user's temporary directory:
%Temp%\Blocked dealers.xls %Temp%\tmp.exeThis file is 349 184 bytes in size. It is detected by Kaspersky Anti-Virus as Trojan-Dropper.Win32.Delf.grq.
The Trojan then launches the extracted "Blocked dealers.xls" file using the application associated with this file type and launches for execution the extracted "tmp.exe" file, which steals access keys to the "CyberPlat" payment processing system. It has the following payload:
The Trojan checks for the presence of the following registry key:
[HKCU\Software\IprivCom\Keys]If the key is missing, the Trojan creates a command interpreter file in its working directory and uses it to delete its body:
%WorkDir%\<rnd1>.batwhere <rnd1> is a random set of numbers.
If the registry key exists, the Trojan creates a copy of its body in the Windows system directory under the name:
%System%\iprivcom2.exeIt also extracts a file from its body and injects it into the Windows system directory as:
%System%\iprivcom.dllThis file is 11 776 bytes in size. It is detected by Kaspersky Anti-Virus as Backdoor.Win32.Poison.bxbv.
For the following files:
%System%\iprivcom2.exe %System%\iprivcom.dllIt applies the "hidden" attribute and sets the same creation date as the Windows directory creation date.
The Trojan calls the "SetStartUp" function from the extracted "iprivcom.dll" file to register its body in the Windows autorun key.
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run] "Authorization Interface"="%System%\iprivcom2.exe"The Trojan calls the "HideProcess" function from the extracted "iprivcom.dll" file to hide its process in the system.
It determines the language installed in the system, and on the basis of this it either searches for Russian-language strings (if the system language is set to Russian), or English-language strings (in all other cases).
It searches for and terminates the application with the following window header:
User identification User authorizationIt then creates a window similar to the closed one. This allows the Trojan to obtain the passphrase for the private key.
It uses the system registry key to determine the private key storage location:
[HKCU\Software\IprivCom\Keys]It creates a copy of the private key in the current user's temporary directory named:
%Temp%\<rnd2>.keywhere <rnd2> is a random set of numbers.
The Trojan then encodes it, using the following intermediary file:
%Temp%\<rnd2>.tmpwhere <rnd2> is a random set of numbers.
It then uses the POST method to send the created file to the following address:
http://m***er.am/gates/cgr-gate_2/in_key.phpIt creates a file in the current user's temporary directory to which it saves information about the infected system, such as the user ID, system version, local time, time zone, installed keys, and passphrase to the private key:
%Temp%\<rnd2>.cgrwhere <rnd2> is a random set of numbers.
It uses the POST method to send the created file to the following address:
http://m***er.am/gates/cgr-gate_2/in_rep.phpThe Trojan then ceases running.
Removal instructions
If your computer does not have antivirus protection and has been infected by this malicious program, follow the instructions below to delete it:
- Delete the following system registry key (see What is a system registry and how do I use it?):
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run] "Authorization Interface"="%System%\iprivcom2.exe"
- Reboot the system.
- Delete the original Trojan file (its location will depend on how the program originally penetrated the infected computer).
- Delete the following files:
%WorkDir%\<rnd1>.bat %System%\iprivcom2.exe %System%\iprivcom.dll %Temp%\Blocked dealers.xls %Temp%\tmp.exe %Temp%\<rnd2>.key %Temp%\<rnd2>.tmp %Temp%\<rnd2>.cgr
where <rnd1> and <rnd2> are random sets of numbers. - Perform a full scan of the computer using Kaspersky Anti-Virus with up-to-date antivirus databases (download a trial version).
MD5: 20F6CE58A8F06D3AC4D15C894487E973
SHA1: 181FF4592E0325C685BDFB90AA10053E336C2BA9
Trojan-Dropper programs are designed to secretly install malicious programs built into their code to victim computers.
This type of malicious program usually save a range of files to the victim’s drive (usually to the Windows directory, the Windows system directory, temporary directory etc.), and launches them without any notification (or with fake notification of an archive error, an outdated operating system version, etc.).
Such programs are used by hackers to:
- secretly install Trojan programs and/or viruses
- protect known malicious programs from being detected by antivirus solutions; not all antivirus programs are capable of scanning all the components inside this type of Trojans.
Trojan-Dropper.
- Trojan:
Generic. dx!tuk (McAfee) - Mal/Generic-L (Sophos)
- W32/IrcBot.
C. gen!Eldorado (FPROT) - TrojanDropper:
Win32/OnLineGames. J (MS(OneCare)) - Trojan.
MulDrop1. 46336 (DrWeb) - Win32/Delf.
NWM trojan (Nod32) - Gen:
Trojan. Heur. HKWavTQ@tBkcI (BitDef7) - Trojan.
DR. Delf!rKJGyzkxSkg (VirusBuster) - Win32:
Delf-ALP [Trj] (AVAST) - Trojan-Dropper.
Win32. Delf (Ikarus) - Trojan.
Gen (NAV) - W32/Suspicious_Gen2.
CVGJI (Norman) - Trojan-Dropper.
Win32. Delf. grq [AVP] (FSecure) - Trojan.
DR. Delf!rKJGyzkxSkg (VirusBusterBeta)
© 1997-2012 Kaspersky Lab ZAO. All Rights Reserved.
Industry-leading Antivirus Software.
Registered trademarks and service marks are the property of their respective owners.