Home / malwarePDF  

TrojanDownloader:Win32/Delf.LX


First posted on 20 November 2010.
Source: SecurityHome

Aliases :

TrojanDownloader:Win32/Delf.LX is also known as PSW.Banker5.BMUU (AVG), TR/Dldr.Delphi.Gen (Avira), Trojan.DownLoader.33420 (Dr.Web), Trojan-Downloader.Win32.Banload (Ikarus), Trojan-Downloader.Win32.Agent.esie (Kaspersky).

Explanation :

TrojanDownloader:Win32/Delf.LX is a trojan that attempts to download other malware from a remote server. In the wild, this trojan was observed to be distributed within a self-extracting archive named "MulheresNoTransito.pps.exe".
Top

TrojanDownloader:Win32/Delf.LX is a trojan that attempts to download other malware from a remote server. In the wild, this trojan was observed to be distributed within a self-extracting archive named "MulheresNoTransito.pps.exe". InstallationThis trojan may arrive embedded within a self-extracting archive or software package as the following:

  • mlhrvlnt.exe - TrojanDownloader:Win32/Delf.LX
  • mlhrvlnt.bat €“ batch script, detected as TrojanDownloader:BAT/Delf.LX
  • mlhrvnt.pps €“ clean PowerPoint slide show file
    • One example of the trojan was observed distributed as "MulheresNoTransito.pps.exe". When run, the self-extracting archive drops the above mentioned files and executes the batch script trojan "mlhrvlnt.bat". Payload Disables certain security componentsThe batch script trojan checks for the presence of the security application AVG, and disables it if found by renaming the application€™s main components:
  • "avgupd.exe" is renamed to "avgklle.jar"
  • "avgupd.dll" is renamed to "avgklld.jar"
    • The batch script trojan component runs the TrojanDownloader:Win32/Delf.LX ("mlhrvlnt.exe") and then opens the PowerPoint slide show "mlhrvnt.pps". Downloads arbitrary filesTrojanDownloader:Win32/Delf.LX attempts to download the following files from the website "samdreanhost.com":
  • ../grdworking.jpg - saved as "<system folder>\iexplupd.exe" and executed
  • ../plgworking.jpg - saved as "<system folder>\synnglp.exe" and executed
  • ../msnworking.jpg - saved as "<system folder>\msgrupd.exe" and executed
    • At the time of this writing, the files were unavailable for analysis.

    Analysis by Vincent Tiu

    Last update 20 November 2010

     

    TOP

    Malware :

    Family: