Virus Profile: Generic Delphi

Threat Search
Print
   
Virus Profile information details
Risk Assessment: Home Low | Corporate Low
Date Discovered: 4/5/2005
Date Added: 4/15/2004
Origin: N/A
Length: Varies
Type: Trojan
Subtype: Win32
DAT Required: 4281
Removal Instructions
   
 
 
   

Description

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Aliases

  • Ikarus        - Virus.Win32.Dracur
  • NOD32     - Trojan-Dropper.Win32.TDSS.qe
  • Norman     - W32/Smalldoor.PPZS
  • Symantec   - W32.Pilleuz

Indication of Infection

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, e-mail, etc.

Methods of Infection

  • Presence of above mentioned files and registry keys.
  • Presence of unexpected connection to the above IP address.
   

Virus Characteristics

-----------------------------Updated on October 14th 2012---------------------------------------------

Aliases

  • Microsoft   - Trojan:Win32/Tophos.A
  • Drweb  - Trojan.SMSSend.3339
  • Kaspersky  -  HEUR:Trojan.Win32.Generic

Upon execution the Trojan drops the file into the following location

  • %Userprofile%\Desktop\Photo.jpg
  • %UserProfile%\Start Menu\Programs\Startup\search.cmd

Above mentioned file confirms that the Trojan registers itself with the compromised system and execute itself upon every reboot.

The following registry key values have been added to the system.

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\CtlGuid
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\DiagL2SecCtlGuid
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\ServiceCtlGuid
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\WDiagCoreCtlGuid
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\WLanDiagCtlGuid

The following registry key values have been added to the system.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\

  •  LogSessionName: "stdout"
  •  Active: 0x00000001
  •  ControlFlags: 0x00000001

The Trojan creates the following mutex to ensure only one instance of the Trojan is running at a time.

ShimCacheMutex

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\CtlGuid\
    • Guid: "d905ac1c-65e7-4242-99ea-fe66a8355df8"
    • BitNames: " DOT11_ASSOCIATE DOT11_ROAMING DOT11_1X DOT11_PNP DOT11_SCAN DOT11_RECEIVE DOT11_SEND DOT11_IOCTL DOT11_OID DOT11_MISC DOT11_UPCALL DOT11_KEYMGR DOT11_PEER DOT11_SOFTAP DOT11_PAM DOT11_REPEATER DOT11_APROUTER DOT11_WME DOT11_CONFIG DOT11_MSM DOT11_MSM_ADAPT DOT11_MSM_SCAN DOT11_MSM_CONNECT DOT11_MSM_SECURITY_PKT DOT11_NOTIFY_OBJECT"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\DiagL2SecCtlGuid\
    •  Guid: "2e8d9ec5-a712-48c4-8ce0-631eb0c1cd65"
    •  BitNames: " SECHC_LOG_FLAG_ASSERT SECHC_LOG_FLAG_INIT SECHC_LOG_FLAG_DIAG SECHC_LOG_FLAG_ONEX_DIAG SECHC_LOG_FLAG_REPAIR SECHC_LOG_FLAG_STATE SECHC_LOG_FLAG_EXT SECHC_LOG_FLAG_EVENT_LOG SECHC_LOG_FLAG_FUNCTION SECHC_LOG_FLAG_MEMORY SECHC_LOG_FLAG_LOCKS"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\ServiceCtlGuid\
    • Guid: "0c5a3172-2248-44fd-b9a6-8389cb1dc56a"
    • BitNames: " DOT11_AUTOCONF DOT11_AUTOCONF_CLIENT DOT11_AUTOCONF_UI DOT11_FATMSM DOT11_COMMON DOT11_WLANGPA DOT11_CLASS_COINSTALLER"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\WDiagCoreCtlGuid\
    • Guid: "637a0f36-dff5-4b2f-83dd-b106c1c725e2"
    • BitNames: " WD_LOG_FLAG_INIT WD_LOG_FLAG_RPC WD_LOG_FLAG_EVENT WD_LOG_FLAG_INTERFACE WD_LOG_FLAG_CONNECTION WD_LOG_FLAG_CONTROL WD_LOG_FLAG_LOCKS WD_LOG_FLAG_MEMORY WD_LOG_FLAG_REFERENCES WD_LOG_FLAG_FUNCTION_TRACE WD_LOG_FLAG_ASSERT"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\WLanDiagCtlGuid\
    • Guid: "6da4ddca-0901-4bae-9ad4-7e6030bab531"
    • BitNames: " WLANHC_AUTOCONFIG WLANHC_RNWFMSM WLANHC_FATMSM WLANHC_DLLMAIN WLANHC_TEST"
    • HKey_CurrentUsers\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Startup\: %UserProfile%\Start Menu\Programs\Startup

--------------------------------------------------------------------------------------------------------------------------------

When executed, the Trojan copies itself into the following location:

  • %Appdata%\cift.exe [Hidden] [Detected as Generic Delphi]

The following registry value has been added to the system which ensures that the Trojan registers itself with the compromised system and executes itself upon every boot.

  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\]
    “Taskman” = "%Appdata%\cift.exe"

The Trojan also injects its malicious code into explorer.exe and connects to the IP address 89.149.[Removed].206 through remote port 4040.

The Trojan enables the backdoor activity and allows remote attacker to perform the following actions

  • Executes arbitrary commands form the remote server.
  • Download/execute other malicious from the remote server.
   

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

   

PC Infected? Get Expert Help

McAfee
Virus Removal Service

Connect to one of our Security Experts by phone. Have your PC fixed remotely - while you watch!

$89.95