How to Prevent and Remove the Trojan-Dropper.Delf

Bookmark and Share

 

1. What is the Trojan-Dropper.Delf

Trojan.Dropper-Delf is a Spyware Trojan designed to infiltrate your computer and open a conduit by which large amounts of adware and spyware can be piped to your system. Trojan.Dropper-Delf opens up a large security hole on your computer and is a very dangerous threat to the security of your personal and financial data. Trojan.Dropper-Delf will download and install numerous additional parasites.

 

2.Technical Details:

 

a. The following files were created in the system:

 

No. Filename Size
1 %System%\crt.dat 12 bytes
2 %System%\cryptnet32.dll 46,592 bytes
3 [file and pathname of the sample #1] 364,544 bytes
4 %System%\shimg.dll 295,573 bytes
  • Note:
    • %System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

b. Memory Modifications

  • There were new memory pages created in the address space of the system process(es):

Process Name Process Filename Allocated Size
svchost.exe %System%\svchost.exe 200,704 bytes
svchost.exe %System%\svchost.exe 217,088 bytes
svchost.exe %System%\svchost.exe 98,304 bytes
svchost.exe %System%\svchost.exe 118,784 bytes
svchost.exe %System%\svchost.exe 24,576 bytes
svchost.exe %System%\svchost.exe 45,056 bytes

c.  Registry Modifications

    • The following Registry Keys were created:
      • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Data
      • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet32
    • The newly created Registry Values are:
      • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Data]
        • data5 = 48 52 37 36 2C 11 58 93 F6 70 E8 43 85 E9 5F 91 F0 72 F2 41 DE 35 D4 BE A8 8F F4 77 E2 64 C6 33 2F 30 36 3E 33 17 5A 8B CA 43 8B 02 C5 AD 5B 82 F9 73 F5 78 D9 76 D4 E3 E7 CA F1 79 F4 65 CE 34 0C 08
      • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet32]
        • DllName = "cryptnet32.dll"
        • Startup = "WinlogonStartupEv"
        • Logoff = "WinlogonLogoffEv"
        • Shutdown = "WinlogonLogoffEv"
        • Asynchronous = 0x00000001
        • Impersonate = 0x00000000

        so that cryptnet32.dll is installed as a Winlogon notification package

    d. Other details

    • There were registered attempts to establish connection with the remote hosts. The connection details are:

    Remote Host Port Number
    173.193.205.116 8014
    69.163.248.145 80
    69.163.250.145 80
    78.46.49.226 80

    • The data identified by the following URLs was then requested from the remote web server:

      • http://cache2.bazookanetworks.com/g2/bazooka.php?net=gnutella2&get=1&client=RAZA2.5.0.0
      • http://cache.trillinux.org/g2/bazooka.php?net=gnutella2&get=1&client=RAZA2.5.0.0
      • http://jayl.de/gweb/g2/bazooka.php?net=gnutella2&get=1&client=RAZA2.5.0.0

     

    3. How-to's

    a. How to prevent the  Trojan-Dropper.Delf ?

    Please update the policy basic knowledge of Sax2  in time, Once  Ax3soft sax2 detects  the communication of these trojans, it will break them and  ensure your network & business security.

    b. How to Remove the Trojan-Dropper.Delf   Manually?

    Step 1 : Stop the following Trojan.Dropper-Delf processes
    Installer5.exe
    sadan[1].exe
    vcodec2007[1].exe
    netg[1].exe
    show2[1].exe
    winlogo.exe
    msm.exe
    winow.exe
    ie_update3r.exe
    msiesettings[1].exe
    KB_963491.exe
    A0001215.exe
    media_codec_iw_3912969[1].exe
    mljul0.exe
    Gay-Lesbian-Photo.exe
    adgiygu.exe
    meex.exe
    G12-tmp_.exe
    G17-tmp_.exe
    GB-tmp_.exe

    Step 2 : Remove the following Trojan.Dropper-Delf registry keys:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Data
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet32

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Data]
    data5 = 48 52 37 36 2C 11 58 93 F6 70 E8 43 85 E9 5F 91 F0 72 F2 41 DE 35 D4 BE A8 8F F4 77 E2 64 C6 33 2F 30 36 3E 33 17 5A 8B CA 43 8B 02 C5 AD 5B 82 F9 73 F5 78 D9 76 D4 E3 E7 CA F1 79 F4 65 CE 34 0C 08
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet32]
    DllName = "cryptnet32.dll"
    Startup = "WinlogonStartupEv"
    Logoff = "WinlogonLogoffEv"
    Shutdown = "WinlogonLogoffEv"
    Asynchronous = 0x00000001
    Impersonate = 0x00000000

    Step3: Locate and delete the following Trojan-Dropper.Delf
     files

    %System%\crt.dat
    %System%\cryptnet32.dll
    [file and pathname of the sample #1]
    %System%\shimg.dll
     

    c. How to Remove these trojans Instantly?

    Manual removal is a difficult process and it is not recommend unless you are an expert in this field. Therefore, you best defense is to download and install a reliable anti-spyware program to scan spyware on your machine. In order to detect computer threats in the easiest and fastest way possible, we advised trying the  Malwarebytes' Anti-Malware, it is an anti-malware application that can thoroughly remove even the most advanced malware. It includes a number of features, including a built in protection monitor that blocks malicious processes before they even start. visit http://www.ids-sax2.com/Malwarebytes-Anti-Malware.htm and download Malwarebytes' Anti-Malware to help you.

     

    4. Appendix

    For more information, please visit  http://www.ids-sax2.com/ComputerSecurityNewsletter.htm

    		•