Internet threat level: 1
Home→Descriptions→Backdoor.Win32.Delf.vb
Backdoor.Win32.Delf.vb
| Detected | Feb 08 2005 10:17 GMT |
| Released | Feb 08 2005 10:17 GMT |
| Published | Apr 06 2005 13:06 GMT |
Technical Details
This Trojan program provides a remote malicious user with full control over the infected machine. The Trojan itself is a Windows PE EXE file, written in Borland Delphi and packed using ASPack. The packed file is approximately 293KB in size, and the unpacked file is approximately 795KB in size.
Once launched, the program creates a file called “glduid.dll” in the Windows system directory:
%System%\glduid.dll
The program functions either as a standard application, or, if the victim machine is running Windows NT/2000/XP, as a service called “Network Host Controller”.
If it is running as a service, the program will create the following registry branch:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\nethost]
If the victim machine is running Windows 95.98.ME, the Trojan will create the following registry value:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run] Network Host Controller
This ensures that the backdoor will be executed each time Windows is rebooted.
The backdoor connects to an IRC server via TCP port 3195 in order to receive commands from the remote malicious user.
Once the program has established a connection to an IRC server, the remote malicious user can cause the Trojan to scan other computers for open network resources, and for unpatched common vulnerabilities such as LSASS, DCOM, Microsoft IIS Extended Unicode Traversal vulnerability. The Trojan will be able to install itself on vulnerable machines.
The remote malicious user is able to download and install new versions of the Trojan, launch UDP, SYN and ICMP attacks on the infected computer, download, launch and delete files, terminate processes and access information about the infected computer and its users.
Backdoors are designed to give malicious users remote control over an infected computer. In terms of functionality, Backdoors are similar to many administration systems designed and distributed by software developers.
These types of malicious programs make it possible to do anything the author wants on the infected computer: send and receive files, launch files or delete them, display messages, delete data, reboot the computer, etc.
The programs in this category are often used in order to unite a group of victim computers and form a botnet or zombie network. This gives malicious users centralized control over an army of infected computers which can then be used for criminal purposes.
There is also a group of Backdoors which are capable of spreading via networks and infecting other computers as Net-Worms do. The difference is that such Backdoors do not spread automatically (as Net-Worms do), but only upon a special “command” from the malicious user that controls them.
Backdoor.
- W32/Kassbot-B (Sophos)
- Exploit.
DCOM. Gen (ClamAV) - Trj/Downloader.
MDW (Panda) - W32/Infostealer.
A!Maximus (FPROT) - Exploit:
Win32/RpcDcom. gen (MS(OneCare)) - BackDoor.
Angel. 36 (DrWeb) - unknown NewHeur_PE virus (Nod32)
- Generic.
XPL. IIS. AAF33774 (BitDef7) - Backdoor.
Delf. DCGX (VirusBuster) - Win32:
Agent-DCI [Trj] (AVAST) - Trojan-Dropper.
Delf (Ikarus) - BackDoor.
Generic11. WOO (AVG) - BDS/Delf.
VB. 9 (AVIRA) - W32.
Blaster. Worm (NAV) - W32/Delf.
DWJF (Norman) - BKDR_DELF.
OYQ (TrendMicro)
© 1997-2010 Kaspersky Lab ZAO. All Rights Reserved.
Industry-leading Antivirus Software.
Registered trademarks and service marks are the property of their respective owners.