| Malware name | Trojan.Proxy.Delf.CA | | Type | Trojan | | Affected platform | Win32 | | Media-Type | application/executable | | MD5 checksum | 916EDE7E54C83F11F0F99F7E53178A3B | | Static file | yes | | Filesize | 28,833 Bytes | Alias names
(also known as) | | Webwasher Proactive | Win32.Malware.gen#FSG | | Sophos | Mal/DelpDldr-C | | McAfee | W32/Fujacks | | CA ETrust | Win32/Emerleox.BI |
| | Protection | | Webwasher Proactive | Database Version: 57 |
| | Side effects | - Disable security applications
- Downloads files
- Drops files
- Lowers security settings
- Registry modification
| | Propagation | - Local network
- Mapped network drives
|
|
Description:
Files
It copies itself to the following locations:
• %SYSDIR%\drivers\spoclsv.exe
•
%drive%\setup.exe
Sections are added to the following files.
– To:
%all directories%\*.htm With the following contents:
• iframe src=http://www.krvkr.com/********** width=0 height=0 /iframe
This renames a file after system reboot.
– To:
%all directories%\*.html With the following contents:
• iframe src=http://www.krvkr.com/********** width=0 height=0 /iframe
– To:
%all directories%\*.asp With the following contents:
• iframe src=http://www.krvkr.com/********** width=0 height=0 /iframe
– To:
%all directories%\*.php With the following contents:
• iframe src=http://www.krvkr.com/********** width=0 height=0 /iframe
– To:
%all directories%\*.jsp With the following contents:
• iframe src=http://www.krvkr.com/********** width=0 height=0 /iframe
– To:
%all directories%\*.aspx With the following contents:
• iframe src=http://www.krvkr.com/********** width=0 height=0 /iframe
The following files are created:
–
%all directories%\Desktop_.ini This is a non malicious text file with the following content:
•
%current date%–
%drive%\autorun.inf This is a non malicious text file with the following content:
•
%code that runs malware% It tries to download a file:
– The location is the following:
• http://www.baidu8.org/**********/xm.txt
This file may contain further download locations and might serve as source for new threats.
Registry
The following registry key is continuously in an infinite loop added in order to run the process after reboot.
– [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
• %SYSDIR%\drivers\spoclsv.exe
The values of the following registry key are removed:
– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
• RavTask
• KvMonXP
• kav
• KAVPersonal50
• McAfeeUpdaterUI
• Network Associates Error Reporting Service
• ShStatEXE
• YLive.exe
• yassistse
The following registry key is changed:
Various Explorer settings:
– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
Folder\Hidden\SHOWALL]
Old value:
• CheckedValue =
%user defined settings% New value:
• CheckedValue = 0
Network Infection
In order to ensure its propagation the malware attemps to connect to other machines as described below.
It uses the following login information in order to gain access to the remote machine:
– The following list of usernames:
• Administrator
• Guest
• admin
• Root
– The following list of passwords:
• 1234; password; 6969; harley; 123456; golf; pussy; mustang; 1111;
shadow; 1313; fish; 5150; 7777; qwerty; baseball; 2112; letmein;
12345678; 12345; ccc; admin; 5201314; qq520; 123; 1234567; 123456789;
654321; 54321; 111; 000000; abc; 11111111; 88888888; pass; passwd;
database; abcd; abc123; sybase; 123qwe; server; computer; 520; super;
123asd; ihavenopass; godblessyou; enable; 2002; 2003; 2600; alpha;
110; 111111; 121212; 123123; 1234qwer; 123abc; 007; aaa; patrick; pat;
administrator; root; sex; god; fuckyou; fuck; test; test123; temp;
temp123; win; asdf; pwd; qwer; yxcv; zxcv; home; xxx; owner; login;
Login; pw123; love; mypc; mypc123; admin123; mypass; mypass123; 901100
IP address generation: It creates random IP addresses while it keeps the first three octets from its own address. Afterwards it tries to establish a connection with the created addresses.
Infection process: The downloaded file is stored on the compromised machine as:
%all shared folders%\GameSetup.exe
Slow down:– It creates the following number of infection threads: 9
– Depending on your bandwidth you might notice a fall in your network speed. As the network activity for this malware is medium you might not take notice of this if you have a broadband connection.
– You might also note a slight slow down due to the multiple network threads created.
Process termination
List of processes that are terminated:
• Mcshield.exe; VsTskMgr.exe; naPrdMgr.exe; UpdaterUI.exe; TBMon.exe;
scan32.exe; Ravmond.exe; CCenter.exe; RavTask.exe; Rav.exe;
Ravmon.exe; RavmonD.exe; RavStub.exe; KVXP.kxp; KvMonXP.kxp;
KVCenter.kxp; KVSrvXP.exe; KRegEx.exe; UIHost.exe; TrojDie.kxp;
FrogAgent.exe; Logo1_.exe; Logo_1.exe; Rundl132.exe
Processes containing one of the following window titles are terminated:
• Symantec AntiVirus
• Duba
• Windows
• esteem procs
• System Safety Monitor
• Wrapped gift Killer
• Winsock Expert
List of services that are disabled:
• sharedaccess; RsCCenter; RsRavMon; RsCCenter; RsRavMon; KVWSC;
KVSrvXP; KVWSC; KVSrvXP; AVP; kavsvc; McAfeeFramework; McShield;
McTaskManager; McAfeeFramework; McShield; McTaskManager; navapsvc;
wscsvc; KPfwSvc; SNDSrvc; ccProxy; ccEvtMgr; ccSetMgr; SPBBCSvc;
Symantec Core LC; NPFMntor; MskService; FireSvc
File details
Programming language:
The malware program was written in Delphi.
Runtime packer: In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
• FSG
