Win32/Delf.SWQ [Threat Name] go to Threat

Win32/Delf.SWQ [Threat Variant Name]

Category trojan
Size 464896 B
Detection created Jul 01, 2015
Detection database version 11874
Aliases DLOADER.Trojan (Dr.Web)
Short description

Win32/Delf.SWQ is detection of program code which can cause redirection of network traffic to the attacker's web sites.

Installation

When executed, the trojan copies itself into the following location:

  • C:\­Program Files\­TXQQ.exe

In order to be executed on every system start, the trojan sets the following Registry entry:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "TXQQ.exe" = "C:\­Program Files\­TXQQ.exe"

The trojan creates the following files:

  • %currentfolder%\­Delme.bat

The file is then executed.

Information stealing

The following information is collected:

  • MAC address
  • operating system version

The trojan attempts to send gathered information to a remote machine.

Other information

The trojan acquires data and commands from a remote computer or the Internet.


The trojan contains a URL address.


It tries to download a file from the address. The HTTP protocol is used in the communication.


The file is saved to one of the following folders:

  • D:\­
  • E:\­
  • F:\­
  • G:\­

The following filename is used:

  • ini.txt

The trojan affects the behavior of the following applications:

  • Internet Explorer
  • Google Chrome
  • Mozila Firefox
  • QQ Browser
  • TheWorld Browser
  • Sogou Explorer

When the user enters certain keywords into the browser, the trojan opens certain URLs related to them.


The trojan can open the following URLs:

  • http://www.yinhangrenzhengdingdan.com/

Please enable Javascript to ensure correct displaying of this content and refresh this page.