Trojan.Win32.Delf.kf

tag:Trojans

The Trojan modifies the UpFolder.txt file in the Winny client catalogue. This configuration file contains paths to the files which will be made accessible to all.

The Trojan modifies UpFolder.txt by adding paths to directories which contain files with the following extensions:

asf
avi
bak
BAK
bas
BAS
bat
BAT
bin
BIN
bmp
BMP
cab
CAB
cfg
CFG
chm
CHM
class
CLASS
com
COM
cpp
CPP
dat
DAT
dll
DLL
exe
EXE
frm
FRM
gca
GCA
gif
GIF
hlp
HLP
htm
HTM
html
HTML
img
IMG
inf
INF
ini
INI
iso
ISO
java
JAVA
jpg
js
JS
jse
JSE
lnk
LNK
log
LOG
lzh
LZH
mov
mp3
MP3
mpg
ocx
OCX
ogm
OGM
pas
PAS
png
PNG
ra
RA
ram
RAM
rar
RAR
reg
REG
rm
RM
scr
SCR
swf
SWF
sys
SYS
TXT
txt
url
URL
vbp
VBP
vbs
VBS
vbw
VBW
vob
VOB
wav
WAV
wma
WMA
wmv
WMV
xml
XML
zip
ZIP

The Trojan also makes directories with the following names accessible to all:

.FILES
\BIN
\C#\
\C\
\C  \
\CPP\
\DEMO\
\DRM
\INCLUDE
\LIB
\LOTUS\
\VB\
_TS
ALBUM
AMPLE
APACHE
APP
AUDIO
BGM
BOOK
CABOS
CACHE
CAD
CANON
CASHE
COMMON
CONFIG
COOKIES
DELPHI
DISK
DIVX
DOWN
DRIVERS
DRV
DVD
EPSON
FJUTY
FONT
GAME
GBA
GIGA POCKET
HELP
HOMEPAGE
I386
ICON
ITUNES
JAVA
JUST
KEYGEN
LIMEWIRE
LOCAL
MANUAL
MUSIC
MY PICTURES\NENNGA
N64
NES
NIS
OPTION
PIFMAE
PLAYER
PLUGIN
PRINT
PROGRAM
PS2
README
RECENT
RECYCLE
SENDTO
SERIAL
SERVICE
SINGLE
SKIN
SOFT
SONICSTAGE
SOUND
SOURCE
SYSTEM
TANKEN
TEMP
TMP
TOOL
TORRENT
TOSUTILS
USERDATA
VALUE
VIDEO
VISUAL
WINNY
XBOX
YAHOO
YOUGO

If directory names contain Japanese symbols, the Trojan will also make these directories accessible to all.

The Trojan scans the following system registry keys for the email address of the user of the victim machine:

[HKCU\Software\Microsoft\Internet Account Manager\Default Mail Account]
[HKCU\Software\Microsoft\Internet Account Manager\Accounts\SMTP Email Address]

The Trojan then creates the following file in the C:\ root directory:

C:\

Delete the following files: %System%\drivers\host.exe
C:\

This Trojan changes the configuration of the Winny file-sharing client on the victim machine in order to give access to user files on the victim machine.

The Trojan itself is a Windows PE EXE file 199241 bytes in size, packed using FSG. The unpacked file is approximately 700KB in size.
Installation
Once launched, the Trojan causes an error message in Japanese to be displayed.

When installaing, the Trojan copies itself as "host.exe" to the following directory:
%System%\drivers\host.exe
It then registers this file in the system registry, ensuring that the Trojan will be launched each time Windows is rebooted on the victim machine:
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"host"="%System%\drivers\host.exe" Payload

previous:Trojan.Win32.Delf.pf
previous:Trojan.Win32.Deltree.a

Virus Source from:

New articles

TROJ_FAKEAV.WKAThis Trojan may be downloaded from the following remote sites: http://{BLOCKED}ogle.info/tre/lena.exe/{random characters} This Trojan adds the foll...TROJ_RANSOM.QOWAThis Trojan may be unknowingly downloaded by a user while visiting malicious websites. This Trojan drops the following copies of itself into the affected sys...TapSnake.ATapSnake.A is a Trojan that affects mobile phones with an Android operating system. Once installed in the phone, it carries out the following actions: ...Trojan.Win32.FraudPack.bkheOnce launched, the program will display a message stating that the computer has been infected by malicious programs: The message is displayed even if there a...Trojan-Dropper.Win32.Agent.cxdOnce activated, the Trojan copies its body and saves it to the Windows system directory as "fvfj.sxo": %System%fvfj.sxo In order to ensure that th...

Hot Articles

Trojan.Win32.Delf.kf

Computer Virus Clounds