Win32/TrojanDropper.Delf.NVI [Threat Name] go to Threat
Win32/TrojanDropper.Delf.NVI [Threat Variant Name]
Category | trojan |
Size | 220548 B |
Aliases | Trojan.BAT.Zapchast.at (Kaspersky) |
Trojan:Win32/Meredrop (Microsoft) | |
Trojan.Siggen2.13733 (Dr.Web) |
Short description
Win32/TrojanDropper.Delf.NVI is a trojan which tries to download other malware from the Internet.
Installation
When executed, the trojan creates the following files:
- %windir%\msijeh.exe (110941 B)
- %windir%\msijeh.utl
- %system%\Machost\Obama signs DADT repeal before big, emotional crowd.doc (15307 B)
- %system%\Machost\config.ini
- %system%\Machost\start.bat
- %system%\Machost\key.binary
- %system%\Machost\log.txt
- %system%\Machost\sound.exe (110941 B)
- %system%\Machost\Utility.exe (34896 B)
- %system%\Machost\test.vbs
The following Registry entries are created:
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{51E24AC2-BA5C-A1E2-12D1-D322A14AA1BD}]
- "stubpath" = "%windir%\msijeh.exe"
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK\0000\Control]
- "*NewlyCreated*" = 0
- "ActiveService" = "network"
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK\0000]
- "Service" = "network"
- "Legacy" = 1
- "ConfigFlags" = 0
- "Class" = "LegacyDriver"
- "ClassGUID" = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
- "DeviceDesc" = "Network Services"
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK]
- "NextInstance" = 1
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\network\Enum]
- "0" = "Root\LEGACY_NETWORK\0000"
- "Count" = 1
- "NextInstance" = 1
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\network\Security]
- "Security" = %hexvalue%
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\network]
- "Type" = 272
- "Start" = 2
- "ErrorControl" = 1
- "ImagePath" = "%system%\Machost\Utility.exe"
- "DisplayName" = "Network Services"
- "ObjectName" = "LocalSystem"
- "Description" = "Microsoft network manager,for security and privileges"
- [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
- "ProxyEnable" = 0
- [HKEY_CURRENT_USER\Software\Adobe\MI]
- "mc" = "%windir%\msijeh.exe"
- "MIS" = "%windir%\msijeh.utl"
- [HKEY_CURRENT_USER\Software\WinRAR SFX]
- "C%%WINDOWS%system32%Machost" = "%System%\Machost"
Other information
The trojan contains a list of URLs.
It tries to download a file from the addresses.
The file is stored in the following location:
- %windir%\repair\volume.exe
The file is then executed. The HTTP protocol is used.
The trojan searches local drives for files with the following file extensions:
- *.doc
- *.docx
- *.xls
- *.ppt
- *.pps
- *.pptx
- *.xlsx
- *.rtf
The trojan attempts to send the found files to a remote machine.