How to Prevent and Remove the Trojan-Downloader.Delphi

Bookmark and Share

1. What is the Trojan-Downloader.Delphi

Trojan downloader is usually a standalone program that attempts to hiddenly download and run other files from remote web and ftp sites.

a. The following files were created in the system:

# Filename(s) File Size
1 %AppData%\NTCServer\ntcsvr.exe 179,200 bytes
2 [file and pathname of the sample #1] 179,712 bytes
  • Note:
    • %AppData% is a variable that refers to the file system directory that serves as a common repository for application-specific data. A typical path is C:\Documents and Settings\[UserName]\Application Data.
  • The following directory was created:
    • %AppData%\NTCServer

b. Memory Modifications

 

  • There were new processes created in the system:

Process Name Process Filename
[filename of the sample #1] [file and pathname of the sample #1]

c. Registry Modifications

  • The following Registry Key was created:
    • HKEY_CURRENT_USER\Software\NTCServer
  • The newly created Registry Values are:
    • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
      • NTCServer = "%AppData%\NTCServer\ntcsvr.exe"

      so that ntcsvr.exe runs every time Windows starts
       
    • [HKEY_CURRENT_USER\Software\NTCServer]
      • dt = "12/7/2010"

d. Other details

  • There was registered attempt to establish connection with the remote host. The connection details are:

Remote Host Port Number
121.125.79.175 80
  • The data identified by the following URLs was then requested from the remote web server:
    • http://121.125.79.175/log/ntcsvr.exe
    • http://121.125.79.175/count/install.php?pc=n01
    • http://121.125.79.175/svr/index.htm
    • http://121.125.79.175/count/update.php?pc=n01

 

2. How-to's

a. Please update the policy basic knowledge of Sax2  in time, Once  sax2 detects  the communication of these trojans, it will break them and  ensure your network & business security.

b. How to Remove the Trojan-Downloader.Delphi  Manually?

Step 1 : Use Windows Task Manager to Remove Trojan-Downloader.Delphi Processes

[filename of the sample #1]

Step 2 : Remove the registry entries hidden by Trojan-Downloader.Delphi, once you find some programs on your PC run abnormally, you should immediately check the following entries in the Registry, and directly delete the spyware-related registry entries.

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
  • NTCServer = "%AppData%\NTCServer\ntcsvr.exe"

Step 3 : Clean up IE Temporary file folder where the original carrier of PC threats is possibly stored. Meanwhile, the malicious files generated by Trojan-Downloader.Delphi.bho are possibly located in the following Location:
%AppData%\NTCServer\ntcsvr.exe
[file and pathname of the sample #1]

c. How to Remove these trojans Instantly?

Malwarebytes' Anti-Malware is an anti-malware application that can thoroughly remove even the most advanced malware. It includes a number of features, including a built in protection monitor that blocks malicious processes before they even start. visit http://www.ids-sax2.com/Malwarebytes-Anti-Malware.htm and download Malwarebytes' Anti-Malware to help you.

 

3. Appendix

For more information, please visit  http://www.ids-sax2.com/ComputerSecurityNewsletter.htm