Trojan.Win32.Delf.cbbm – Trojan provides a remote malicious user with access to the infected computer.
Technical details
Trojan provides a remote malicious user with access to the infected computer. Is a dynamic library Windows (PE DLL-file). Has a size of 751,725 bytes. It is written in Delphi.
Destructive activity
After you activate the Trojan connects to one of the following servers attacker:
cache.dyndns.tv docs.dyndns.org dns.dellsupports.com krb.dellsupports.com
An attacker’s server the following information:
– computer name;
– IP-address of the septic system;
– version and the name of the operating system;
– list of running processes in the system.
Information about the system is stored in the working directory under the name Trojan
“Log.dat”:
% Work% \ log.dat
The Trojan copies its body to the following directories client terminal server (Terminal Server Client):
\ \ Tsclient \% WinDir% \ SysWoW64 \ <the original name of the Trojan>. Dll \ \ tsclient \% System% \ <the original name of the Trojan>. Dll
The Trojan creates a SQL table called “siweb3file”, which stores the command to run. With these commands the Trojan creates a task named “abc82”, which allows an attacker to gain shell access to the infected system. A list of commands can be updated with a malicious server.
At the time of writing, the above server is not working.
Removal
If your computer was not protected by Antivirus and is infected with this malware, then to delete the following:
Delete the original Trojan file (the location of the victim will depend on how the program originally penetrated the victim machine).
Clear the directory Temporary Internet Files, which may contain infected files.
