Win32/TrojanDownloader.Delf.QPN [Threat Name] go to Threat

Win32/TrojanDownloader.Delf.QPN [Threat Variant Name]

Category trojan
Size 340992 B
Detection created Jun 29, 2011
Detection database version 6249
Aliases Trojan.Win32.Swisyn.bqiy (Kaspersky)
  Downloader.a!cc.trojan (McAfee)
Short description

Win32/TrojanDownloader.Delf.QPN is a trojan that uses the hardware resources of the infected computer for mining the Bitcoin digital currency.

Installation

When executed, the trojan copies itself into the following location:

  • %windir%\­update.5.0\­svchost.exe

The trojan registers itself as a system service using the following name:

  • srvbtcclient

The following Registry entries are set:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­btcclient]
    • "close" = "%variable1%"
    • "ver" = "1.59"
    • "mainer_cmd" = "%variable2%"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­systeminfog]
    • "ip_list" = %variable3%
    • "ip_list_time" = %variable4%

The %variable1% is one of the following strings:

  • 0
  • 1

A string with variable content is used instead of %variable2-4% .

Payload information

The trojan uses the hardware resources of the infected computer for mining the Bitcoin digital currency.

Other information

The trojan acquires data and commands from a remote computer or the Internet.


It uses its own P2P network for communication.


The trojan contains a list of (1244) IP addresses.


The trojan contains a list of (2) URLs.


The JSON-RPC protocol is used in the communication.


The trojan opens a random TCP port.


The trojan tries to download and execute several files from the Internet.


These are stored in the following locations:

  • %temp%\­%variable5%_myunrar2.exe
  • %windir%\­unrar.exe
  • %windir%\­phoenix.rar (5589370 B)
  • %windir%\­phoenix\­kernels\­phatk\­BFIPatcher.py (5224 B)
  • %windir%\­phoenix\­kernels\­phatk\­kernel.cl (10366 B)
  • %windir%\­phoenix\­kernels\­phatk\­__init__.py (16922 B)
  • %windir%\­phoenix\­kernels\­poclbm\­BFIPatcher.py (5224 B)
  • %windir%\­phoenix\­kernels\­poclbm\­kernel.cl (30821 B)
  • %windir%\­phoenix\­kernels\­poclbm\­__init__.py (17266 B)
  • %windir%\­phoenix\­phoenix.exe (6962815 B)
  • %windir%\­ufa.rar (182617 B)
  • %windir%\­ufa\­ufa.exe (743936 B)
  • %windir%\­rpcminer.rar (1075284 B)
  • %windir%\­rpcminer\­bitcoinminercuda_10.cubin (49392 B)
  • %windir%\­rpcminer\­bitcoinminercuda_11.cubin (49392 B)
  • %windir%\­rpcminer\­bitcoinminercuda_20.cubin (43272 B)
  • %windir%\­rpcminer\­bitcoinmineropencl.cl (9971 B)
  • %windir%\­rpcminer\­cudart32_32_16.dll (384616 B)
  • %windir%\­rpcminer\­curllib.dll (194048 B)
  • %windir%\­rpcminer\­libeay32.dll (1016832 B)
  • %windir%\­rpcminer\­libsasl.dll (65536 B)
  • %windir%\­rpcminer\­openldap.dll (110592 B)
  • %windir%\­rpcminer\­rpcminer-4way.exe (294912 B)
  • %windir%\­rpcminer\­rpcminer-cpu.exe (241664 B)
  • %windir%\­rpcminer\­rpcminer-cuda.exe (249856 B)
  • %windir%\­rpcminer\­rpcminer-opencl.exe (241664 B)
  • %windir%\­rpcminer\­ssleay32.dll (200192 B)

A string with variable content is used instead of %variable5% .

Please enable Javascript to ensure correct displaying of this content and refresh this page.