Win32/Delf.NJF [Threat Name] go to Threat

Win32/Delf.NJF [Threat Variant Name]

Category trojan,worm
Size 468992 B
Detection created Jan 28, 2008
Detection database version 2828
Aliases Backdoor.Win32.Ceckno.d (Kaspersky)
  Backdoor.Trojan (Symantec)
  Generic.BackDoor (McAfee)
Short description

Win32/Delf.NJF installs a backdoor that can be controlled remotely. The file is run-time compressed using CAB SFX .

Installation

When executed the trojan drops in folder %commonfavorites% the following file:

  • netservice.exe (468992 B)

The following file is dropped into the %temp%\ixp000.tmp\ folder:

  • 22.exe (468992 B)

The files are then executed.


The trojan registers itself as a system service using the following name:

  • netservice

The trojan creates and runs a new thread with its own program code within the following processes:

  • svchost.exe

The following Registry entries are created:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Setup]
    • "netinfo" = "%record1%"
    • "cover" = "up"
    • "pid" = 452
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Enum\­Root\­LEGACY_NETSERVICE\­0000\­Control]
    • "*NewlyCreated*" = 0
    • "ActiveService" = "netservice"
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Enum\­Root\­LEGACY_NETSERVICE\­0000]
    • "Service = "netservice"
    • "Legacy = 1
    • "ConfigFlags = 0
    • "Class = "LegacyDriver"
    • "ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
    • "DeviceDesc = "%record2%"
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Enum\­Root\­LEGACY_NETSERVICE]
    • "NextInstance = 1
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­netservice\­Enum]
    • "0" = "Root\­LEGACY_NETSERVICE\­0000"
    • "Count" = 1
    • "NextInstance" = 1
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­netservice]
    • Type = 272
    • Start = 2
    • ErrorControl = 0
    • ImagePath = "%commonfavorites%\­netservice.exe"
    • DisplayName = "%record2%"
    • ObjectName = "LocalSystem"
    • Description = "%record3%"

Variables %record1-3% represent strings written in the CHN language.

Other information

The trojan serves as a backdoor.


The trojan acquires data and commands from a remote computer or the Internet.


It communicates with the following server using TCP protocol:

  • oyp.3322.org

It can execute the following operations:

  • download files from a remote computer and/or the Internet
  • send files to a remote computer
  • send the list of disk devices and their type to a remote computer
  • terminate running processes
  • run executable files
  • move files
  • create Registry entries
  • delete Registry entries
  • create folders
  • delete folders
  • collect information about the operating system used

The trojan interferes with the operation of some security applications to avoid detection.

Please enable Javascript to ensure correct displaying of this content and refresh this page.