Win32/Delf.OBR [Threat Name] go to Threat

Win32/Delf.OBR [Threat Variant Name]

Category trojan
Size 375008 B
Detection created Mar 02, 2009
Detection database version 3902
Aliases Trojan.Win32.Delf.byzk (Kaspersky)
  Backdoor.Cimuz (Symantec)
  TROJ_DELF.CWL (TrendMicro)
Short description

The trojan serves as a backdoor. It can be controlled remotely. The trojan is probably a part of other malware.

Installation

The trojan does not create any copies of itself.


The trojan may replace existing Registry records referenced by the following Registry entries with the link to malware file:

  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­WinSock2\­Parameters\­NameSpace_Catalog5\­CatalogEntries\­000000000001]
    • "LibraryPath" = "%malwarefile%.dll"

Malicious code is executed every time an infected DLL is loaded.


The trojan loads and injects the %malwarefile%.dll library into the following processes:

  • svchost.exe
Other information

The trojan may create the following files:

  • %system%\­b758.tbl
  • %system%\­sdup123.log

The trojan receives data and instructions for further action from the Internet or another remote computer within its own network (botnet).


The following information is collected:

  • user name
  • computer name
  • operating system version
  • type of Internet connection
  • memory status
  • the path to specific folders

It can execute the following operations:

  • log keystrokes
  • download files from a remote computer and/or the Internet
  • run executable files
  • send files to a remote computer
  • show/hide application windows
  • various filesystem operations
  • send the list of disk devices and their type to a remote computer
  • send the list of running processes to a remote computer
  • shut down/restart the computer
  • terminate running processes
  • start/stop services
  • create Registry entries
  • delete Registry entries
  • capture screenshots
  • retrieve CPU information
  • collect information about the operating system used
  • send gathered information
  • remove itself from the infected computer

Please enable Javascript to ensure correct displaying of this content and refresh this page.