Trojan.Win32.Delf.pf
| Alert Level : | Medium |
| Discovered: | Jun 01 2007 |
| Tag: | Trojans |
| Discoverer and Source: | http://www.kaspersky.com/ |
Malware Behavior and Technical Description
This Trojan is a Windows PE EXE file. It is 25,372 bytes in size. It is packed using Petite. The unpacked file is approximately 44KB in size.
InstallationWhen launched, the Trojan copies its executable file to the Windows system directory:
%System%\wovexec.exe
In order to ensure that the Trojan is launched automatically when the system is rebooted, the Trojan adds a link to its executable file in the system registry:
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run] @ = "%System%\wovexec.exe"Payload
The Trojan constantly searches for windows where the title contains the following strings:
Disk 3,5 (A:) Properties: Disk 3,5 (A:)
If such a window is found, the Trojan will search for files on A:\ with a .doc extension. If such files are found, the Trojan will replace the contents with its body, while retaining the original file name, and adding the following extension: ".exe"
This Trojan
Removal Trojan.Win32.Delf.pf instructions:
If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:
- Use Task Manager to terminate the Trojan process which is called "wovexec.exe".
- Delete the original Trojan file (the location will depend on how the program originally penetrated the victim machine).
- Revert the system registry key value to: (See What
is a system registry and how do I use it for details on how to edit the registry).
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run] @ = ""
- Delete the following file:
%System%\wovexec.exe
- Delete all copies of the Trojan from floppy disks.
- Update your antivirus databases and perform a full scan of the computer (download a trial version of Kaspersky Anti-Virus).
Need help? Live computer support via remote at SupportSpace |
