Home / malware

PDF

TrojanDownloader:BAT/Delf.LX

First posted on 20 November 2010.
Source: SecurityHome

Aliases :

TrojanDownloader:BAT/Delf.LX is also known as TR/Free.A (Avira), Trojan.Downloader.33420 (Dr.Web), Trojan-Downloader.Win32.Agent.esie (Kaspersky), Generic.dx!uky (McAfee), Mal/Generic-L (Sophos).

Explanation :

TrojanDownloader:BAT/Delf.LX is a batch script and trojan component that attempts to disable certain security components and execute other malware.
Top

TrojanDownloader:BAT/Delf.LX is a batch script and trojan component that attempts to disable certain security components and execute other malware. InstallationThis trojan may arrive embedded within a self-extracting archive or software package as the following:

mlhrvlnt.exe - TrojanDownloader:Win32/Delf.LX

mlhrvlnt.bat €“ batch script, detected as TrojanDownloader:BAT/Delf.LX

mlhrvnt.pps €“ clean PowerPoint slide show file

One example of the trojan was observed distributed as "MulheresNoTransito.pps.exe". When run, the self-extracting archive drops the above mentioned files and executes the batch script trojan "mlhrvlnt.bat". Payload Disables certain security componentsThe batch script trojan checks for the presence of the security application AVG, and disables it if found by renaming the application€™s main components:

"avgupd.exe" is renamed to "avgklle.jar"

"avgupd.dll" is renamed to "avgklld.jar"

TrojanDownloader:BAT/Delf.LX runs the trojan component "mlhrvlnt.exe" and then opens the PowerPoint slide show "mlhrvnt.pps". Additional informationFor more information about TrojanDownloader:Win32/Delf.LX, see the description elsewhere in the encyclopedia.

Analysis by Vincent Tiu

Last update 20 November 2010

 

TOP