Win32/TrojanDropper.Delf.NVI [Threat Name] go to Threat

Win32/TrojanDropper.Delf.NVI [Threat Variant Name]

Category trojan
Size 220548 B
Aliases Trojan.BAT.Zapchast.at (Kaspersky)
  Trojan:Win32/Meredrop (Microsoft)
  Trojan.Siggen2.13733 (Dr.Web)
Short description

Win32/TrojanDropper.Delf.NVI is a trojan which tries to download other malware from the Internet.

Installation

When executed, the trojan creates the following files:

  • %windir%\­msijeh.exe (110941 B)
  • %windir%\­msijeh.utl
  • %system%\­Machost\­Obama signs DADT repeal before big, emotional crowd.doc (15307 B)
  • %system%\­Machost\­config.ini
  • %system%\­Machost\­start.bat
  • %system%\­Machost\­key.binary
  • %system%\­Machost\­log.txt
  • %system%\­Machost\­sound.exe (110941 B)
  • %system%\­Machost\­Utility.exe (34896 B)
  • %system%\­Machost\­test.vbs

The following Registry entries are created:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Active Setup\­Installed Components\­{51E24AC2-BA5C-A1E2-12D1-D322A14AA1BD}]
    • "stubpath" = "%windir%\­msijeh.exe"
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Enum\­Root\­LEGACY_NETWORK\­0000\­Control]
    • "*NewlyCreated*" = 0
    • "ActiveService" = "network"
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Enum\­Root\­LEGACY_NETWORK\­0000]
    • "Service" = "network"
    • "Legacy" = 1
    • "ConfigFlags" = 0
    • "Class" = "LegacyDriver"
    • "ClassGUID" = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
    • "DeviceDesc" = "Network Services"
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Enum\­Root\­LEGACY_NETWORK]
    • "NextInstance" = 1
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­network\­Enum]
    • "0" = "Root\­LEGACY_NETWORK\­0000"
    • "Count" = 1
    • "NextInstance" = 1
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­network\­Security]
    • "Security" = %hexvalue%
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­network]
    • "Type" = 272
    • "Start" = 2
    • "ErrorControl" = 1
    • "ImagePath" = "%system%\­Machost\­Utility.exe"
    • "DisplayName" = "Network Services"
    • "ObjectName" = "LocalSystem"
    • "Description" = "Microsoft network manager,for security and privileges"
  • [HKEY_USERS\­.DEFAULT\­Software\­Microsoft\­Windows\­CurrentVersion\­Internet Settings]
    • "ProxyEnable" = 0
  • [HKEY_CURRENT_USER\­Software\­Adobe\­MI]
    • "mc" = "%windir%\­msijeh.exe"
    • "MIS" = "%windir%\­msijeh.utl"
  • [HKEY_CURRENT_USER\­Software\­WinRAR SFX]
    • "C%%WINDOWS%system32%Machost" = "%System%\­Machost"
Other information

The trojan contains a list of URLs.


It tries to download a file from the addresses.


The file is stored in the following location:

  • %windir%\­repair\­volume.exe

The file is then executed. The HTTP protocol is used.


The trojan searches local drives for files with the following file extensions:

  • *.doc
  • *.docx
  • *.xls
  • *.ppt
  • *.pps
  • *.pptx
  • *.xlsx
  • *.pdf
  • *.rtf

The trojan attempts to send the found files to a remote machine.

Please enable Javascript to ensure correct displaying of this content and refresh this page.