Win32/Delf.QCZ [Threat Name] go to Threat

Win32/Delf.QCZ [Threat Variant Name]

Category trojan
Size 1168896 B
Detection created May 22, 2011
Signature database version 6142
Aliases Trojan-PSW.Win32.VKont.bjv (Kaspersky)
  Infostealer (Symantec)
  Backdoor:Win32/Delf.KV (Microsoft)
Short description

Win32/Delf.QCZ is a trojan which tries to download other malware from the Internet. Trojan is spread via links in social networking sites. The trojan interferes with the operation of some security applications to avoid detection.

Installation

Win32/Delf.QCZ is a trojan that spreads through social networking sites.


The following social networking sites are affected:

  • Facebook

The trojan spreads through links which point to websites containing malware.

If the link is clicked a copy of the trojan is downloaded.

When executed the trojan copies itself in the following locations:

  • %windir%\­update.1\­svchost.exe
  • %windir%\­services32.exe

The trojan creates the following files:

  • %temp%\­%variable1%.bat
  • %temp%\­%variable2%.bat
  • %windir%\­proc_list1.log

The trojan may create the following files:

  • %windir%\­update.tray-%number1%-%number2%\­svchost.exe
  • %windir%\­winlog-dirs.txt
  • %windir%\­winlog-ids.txt
  • %windir%\­front_ip_list.txt

A string with variable content is used instead of %variable1-2%, %number1-2% .


The trojan registers itself as a system service using the following name:

  • wxpdrivers

In order to be executed on every system start, the trojan sets the following Registry entry:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "wxpdrv" = "%windir%\­services32.exe"

The following Registry entries are created:

  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­wxpdrivers]
    • "Type" = 16
    • "Start" = 2
    • "ErrorControl" = 0
    • "ImagePath" = "%malwarepath% srv"
    • "DisplayName" = "wxpdrivers"
    • "ObjectName" = "LocalSystem"
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­wxpdrivers\­Enum]
    • "0" = "Root\­LEGACY_WXPDRIVERS\­0000"
    • "Count" = 1
    • "NextInstance" = 1
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Control\­SafeBoot\­Minimal\­wxpdrivers]
    • "(Default)" = "Service"
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Control\­SafeBoot\­Network\­wxpdrivers]
    • "(Default)" = "Service"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­services32.exe]
    • "close" = "%value%"
    • "ver" = "%value%"

The trojan may set the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Security Center]
    • "FirewallDisableNotify" = 1
    • "UpdatesDisableNotify" = 1
    • "AntivirusDisableNotify" = 1
    • "FirewallOverride" = 1
    • "DisableThumbnailCache" = 1
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Control\­SafeBoot]
    • "AlternateShell" = "services32.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Winlogon]
    • "AutoAdminLogon" = "1"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "tray_ico%number%" = "%windir%\­update.tray-%number1%-%number2%\­svchost.exe"
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Policies\­Associations]
    • "ModRiskFileTypes" = "*.exe"

The trojan may delete the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­SharedAccess\­Parameters\­FirewallPolicy\­StandardProfile]
    • "EnableFirewall" = "%value%"

The trojan can modify the following file:

  • %systemdrive%\­boot.ini

The trojan may execute the following commands:

  • bcdedit32.exe /set safeboot minimal (alternateshell)
Other information

The trojan acquires data and commands from a remote computer or the Internet.


The trojan tries to download several files from the Internet.


These are stored in the following locations:

  • %temp%\­%variable%.exe
  • %windir%\­sysdriver32.exe
  • %windir%\­sysdriver32_.exe
  • %windir%\­Temp\­%variable%.exe

A string with variable content is used instead of %variable% .


The trojan contains a list of (4) URLs. The HTTP protocol is used.


The trojan checks for Internet connectivity by trying to connect to the following servers:

  • youtube.com
  • blogspot.com
  • baidu.com
  • wikipedia.org
  • live.com
  • twitter.com

The trojan disables various security related applications.


The trojan affects the behavior of the following applications:

  • Agava Firewall
  • Avast
  • AVG
  • Avira AntiVir
  • Comodo Internet Security
  • Dr. Web
  • ESET NOD32 Antivirus
  • ESET Smart Security
  • ESET SysInspector
  • ESET SysRescue
  • Kaspersky Anti-Virus
  • Kaspersky Internet Security
  • McAfee AntiVirus
  • Microsoft Defender
  • Microsoft Security Essentials
  • Norton AntiVirus
  • Outpost Firewall
  • Panda Antivirus

The trojan displays warnings about possible problems detected on the compromised computer that need to be fixed.


The trojan displays the following fake dialog boxes:

The trojan may perform operating system restart.

Please enable Javascript to ensure correct displaying of this content and refresh this page.