Malware Trojan.Win32.Delf.cbbm

Posted: September 2, 2012 in Encyclopedia viruses
Tags:

Virus AlertTrojan.Win32.Delf.cbbm – Trojan provides a remote malicious user with access to the infected computer.

Technical details

Trojan provides a remote malicious user with access to the infected computer. Is a dynamic library Windows (PE DLL-file). Has a size of 751,725 ​​bytes. It is written in Delphi.

Destructive activity

After you activate the Trojan connects to one of the following servers attacker:

cache.dyndns.tv docs.dyndns.org dns.dellsupports.com krb.dellsupports.com
An attacker’s server the following information:

– computer name;

– IP-address of the septic system;

– version and the name of the operating system;

– list of running processes in the system.

Information about the system is stored in the working directory under the name Trojan

“Log.dat”:

% Work% \ log.dat

The Trojan copies its body to the following directories client terminal server (Terminal Server Client):

\ \ Tsclient \% WinDir% \ SysWoW64 \ <the original name of the Trojan>. Dll \ \ tsclient \% System% \ <the original name of the Trojan>. Dll

The Trojan creates a SQL table called “siweb3file”, which stores the command to run. With these commands the Trojan creates a task named “abc82”, which allows an attacker to gain shell access to the infected system. A list of commands can be updated with a malicious server.

At the time of writing, the above server is not working.

Removal

If your computer was not protected by Antivirus and is infected with this malware, then to delete the following:

Delete the original Trojan file (the location of the victim will depend on how the program originally penetrated the victim machine).
Clear the directory Temporary Internet Files, which may contain infected files.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s