Trojan-Spy.Win32.Delf.kof

From Total Malware Info

Jump to: navigation, search
The description for Trojan-Spy.Win32.Delf.kof was created during beta-test of «Malware description on demand» service. Learn more about at: www.dnt-lab.com/en/services.
Trojan-Spy.Win32.Delf.kof

Last edited:

21.2.2011

The Trojan-Spy is designed to steal confidential user information. It is a Windows application (PE-EXE file).Its size is 368,640 bytes.It is written in Delphi.

MD5: 5B866B31A89EB030CBF4864ADA2063CA

SHA1: E8A1B88C3D748D292633FAD06C12C47C0F170494

Payload

The trojan is designed to steal "cookies" and passwords stored by the following web browsers: 

Opera
Mozilla Firefox
Google Chrome
Internet Explorer

The Mozilla Firefox browser's "cookies" processing is performed by the library called "sqlite3.dll", extracted from the trojan's body: 

%WorkDir%\sqlite3.dll (175104 bytes; MD5: F98CE457A2094650C658D3223D1513D0, SHA1: 537B292A1ED867A618B5D6F814E8329458B8489A)


This DLL will be removed after completion of the trojan's work. The trojan steals data from files in the directory: 

%APPDATA%\Google\Chrome\

as well as from the following files: 

%USERPROFILE%\Local Settings\Temporary Internet Files\Content.IE5\index.dat
%USERPROFILE%\Cookies\index.dat
%USERPROFILE%\Local Settings\History\History.IE5\index.dat
%APPDATA%\Opera\Opera\profile\wand.dat

The collected information is written to the file: 

%WorkDir%\<rnd>

<rnd> is a random name such as "tHIfYu14kOH2.dO2".

This file has the following structure: 

#>INFO
Version		0.03
Computer name		<computer name>\<user name>
Timezone		<timezone>
#<INFO

#>PASSWORDS
<collected information>
#<PASSWORDS

Then, this file is encrypted and sent to an attacker by email. The trojan uses the one of the following SMTP-servers: 

aisp.people.com.cn
163mx00.mxmail.netease.com
163mx01.mxmail.netease.com
163mx02.mxmail.netease.com 
163mx03.mxmail.netease.com 
163mx04.mxmail.netease.com

MAIL FROM: 

administrator@peoplemail.com.cn
administrator@163.com

RCPT TO: 

reistealer@gmail.com

Then, "%WorkDir%\<rnd>" will be removed. The trojan deletes its original file using the following BAT-script: 

FOR /L %%I IN (1, 1, 1000) DO @ECHO.
del /F /Q "<full path to the original trojan's file>" "%WorkDir%\<rnd>.bat" > nul

Removal Instructions

Perform a full system scan with an antivirus with updated databases.

Can't find a description for a specific malware?
You can order a description for any computer malware, virus, trojan or worm.
Retrieved from "http://www.totalmalwareinfo.com/eng/Trojan-Spy.Win32.Delf.kof"
Language
Video Tutorials
Computer and Internet Security Video Tutorials
© 2011 "Design and Test Lab", LLC. All rights reserved.