Backdoor.Win32.Delf.abc

From Total Malware Info

Jump to: navigation, search

Trojan program controlled remotely via IRC that does malicious actions on the user’s machine. This program is a Windows PE-EXE file. It is 211 456 bytes in size, packed by the UPX packer. Unpacked size is approx 538 kb.

Installation

Creates the following registry entry: 

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
Microsoft IIS=<Path to the backdoor file>

so the backdoor executable would now be launched every time the windows starts.

Payload

Hides own process from the system list of processes using undocumented API function RegisterServiceProcess. Launches HTTP-proxy server on a random TCP port. Backdoor redirects requests to some Internet sites to malefactor’s servers. To do so, backdoor launches thread in which every 30 seconds performs the following actions: Searches system for windows with the following titles: 

Online Service – Error
Barclays IBank Error
LloydsTSB online – Error
HSBC Internet Banking #
NatWest OnLine Banking
Banesto Critical Error
Internet Banking Banca Di Credito Cooperativo #
Online Service Bank Of Scotland #
Digital Banking Royal Bank Of Scotland #
Bienvenido Cajamadrid #
'Caixa Penedes #
Postbank Online-Banking #
Deutsche Bank Online-Banking und -Brokerage #
Abbey - Log on #
Woolwich Internet Banking #

If one of such windows was found, backdoor adds to the file:

  • %System%\Drivers\etc\hosts

following text: 

[ip_address]
online.lloydstsb.co.uk
online-business.lloydstsb.co.uk
www.nwolb.com
banesnet.banesto.es
extranet.banesto.es
ebanking.bccbrescia.it
www.bankofscotlandhalifax-online.co.uk
www.rbsdigital.com
oi.cajamadrid.es
bancae.caixapenedes.com
banking.postbank.de
meine.deutsche-bank.de
myonlineaccounts2.abbeynational.co.uk
ibank.cahoot.com
webbank.openplan.co.uk

where [ip_address] – is an IP of the following domain: fakes.anyforce.info Depending on which window was found backdoor may create one of the following files : 

%System%\halif.dll
%System%\barc.dll
%System%\lloy.dll
%System%\hsbc.dll
%System%\natw.dll
%System%\bane.dll
%System%\bccbrescia.dll
%System%\bankofscot.dll
%System%\rbsd.dll
%System%\cajamadrid.dll
%System%\caixapenedes.dll
%System%\postbank.dll
%System%\deutchebank.dll
%System%\cahoot.dll
%System%\wool.dll

where it writes the following text: “k3g534h5jf345mh34”. If one of these files already exists, backdoor does not modify file %System%\Drivers\etc\hosts on the next iteration. This malware supports remote control of the user’s machine via IRC protocol. It connects to the malware server and registers with the name portos. After that backdoor waits for malefactor’s commands which may be one of the following:

  • !DIE – terminate own process
  • !DELFILE – Delete specified file
  • !IP – Show user’s ip and open ports
  • !EXEC – execute shell command
  • !RUN – launch specified application
  • !LEFT – quit the channel
  • !CHANNEL – change channel
  • !PROC.KILL – Terminate specified process
  • !DOWNLOAD – download file from specified URL
  • !DOWNLOAD&RUN – download file and launch after successful download
  • !COMPNAMES – return the machine network name
  • !VISIT – open URL in default browser
  • !DCOM.SELF – test host for DCOM RPC vulnerability
  • DCOM.RANDOM.* - test a random hosts for DCOM RPC vulnerability
  • !DCOM.* - test ip range for machines with DCOM RPC vulnerabilities
  • !DCOM.STATUS – show the vulnerability scan status.
  • !DCOM.STATUS.HALTED – show the quantity of vulnerable computers
  • !DCOM.STOP.* - stop scan
  • !UPTIME – show backdoor uptime in days
  • !REDIRECT.STOP.* - Stop URL redirection
  • !REDIRECT – Start URL redirection URL

Removal Instructions

  1. Terminate backdoor process .
  2. Delete the original backdoor file.
  3. Delete the foillowing registry key entry: 
    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
Microsoft IIS
  4. Delete the following text from file %System%\Drivers\etc\hosts: 
     [ip_address]
 online.lloydstsb.co.uk
 online-business.lloydstsb.co.uk
 www.nwolb.com
 banesnet.banesto.es
 extranet.banesto.es
 ebanking.bccbrescia.it
 www.bankofscotlandhalifax-online.co.uk
 www.rbsdigital.com
 oi.cajamadrid.es
 bancae.caixapenedes.com
 banking.postbank.de
 meine.deutsche-bank.de
 myonlineaccounts2.abbeynational.co.uk
 ibank.cahoot.com
 webbank.openplan.co.uk
  5. Delete files: 
    %System%\halif.dll
%System%\barc.dll
%System%\lloy.dll
%System%\hsbc.dll
%System%\natw.dll
%System%\bane.dll
%System%\bccbrescia.dll
%System%\bankofscot.dll
%System%\rbsd.dll
%System%\cajamadrid.dll
%System%\caixapenedes.dll
%System%\postbank.dll
%System%\deutchebank.dll
%System%\cahoot.dll
%System%\wool.dll
Retrieved from "http://www.totalmalwareinfo.com/eng/Backdoor.Win32.Delf.abc"
Language
© 2010 "Design and Test Lab", LLC. All rights reserved.