Trojan-Dropper.Win32.Delf.bp
From Total Malware Info
This Trojan is designed to install another Trojan to the victim machine without the user's knowledge or consent. It is a Windows PE EXE file. The file is 371 712 bytes. It is written in Delphi.
Payload
Once launched, the Trojan copies file "WinAppService.exe" from current directory (if the file exists) to the Windows system directory and then launches for execution:
%System%\WinAppService.exe
After it, the Trojan tries to execute service with the name "WinService" and change description for this service as "WinService" with the following commands:
net start WinService sc description WinService
Then the Trojan modifies Start Page of the "Internet Explorer":
http://315dh.com
At the moment of writing, this link was not working.
The Trojan looking for following files in current directory and in all paths that exist in environment variable %PATH%:
hztsA.exe SDAstroSetup.exe WIS.exe dnsys9006.exe 5004.exe newweb.exe pc.exe other0 other1.exe other2.exe
The Trojan launches for execution files that was found.
Removal instructions
- Using Task Manager terminate the Trojan process.
- Delete the original Trojan file (its file name and location depends on the way the trojan originally penetrated the target computer).
- Delete the file if it exists:
%System%\WinAppService.exe
- Stop and disable service, if service exists and is enabled:
WinService
- Repair Start Page for the "Internet Explorer".
- Use Kaspersky Anti-Virus to delete the malware. Update your antivirus databases and perform a full scan of the computer.
