McAfee > Theat Center > Virus Detail Page

Overview

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Aliases

• Backdoor.Delf.gi (AVP)

• TROJ_PALAVRA.A (Trend)

Characteristics

This trojan captures typed keystrokes and mouse movement, and sends this information to a specified email address.  It takes small screen shots of the area directly below the mouse pointer each time a mouse button is depressed.  The purpose of this action is to steal password information where passwords are entered in by clicking on images/buttons rather than typing keystrokes.

When the trojan is run, a Window is displayed:

When the Instalar button is pressed, a message box is displayed:

The trojan copies itself to the WINDOWS directory and creates a registry run key to load itself at system startup:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
  Run "Explorer" = %trojan path%

A keyboard hooking DLL file is extracted to the WINDOWS SYSTEM directory as HDLL.DLL.  The date/time, computer name, and username are saved to a file named DATA.TXT in the current directory, which is used in the main report file.

A hidden direcotry named Excel is created.  Small screen shots are taken each time the mouse is clicked and saved to this directory.

When there are 30 images within the directory, they are compressed into an archive file (ZIP) and emailed to the author, along with information saved in the DATA.TXT file.  That message is as follows:

From: patrik [patrik123@terra.com.br]
To: patrik123@terra.com.br
Subject: %random characters%_%machine name%_user name%
X-Mailer: NetMasters SMTP Demo

Symptoms

Presence of a hidden directory named Excel within the WINDOWS (%WinDir%) directory.

Method of Infection

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, etc.

Removal

All Users:
Use specified engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Aliases

• Backdoor.Delf.gi (AVP)

• TROJ_PALAVRA.A (Trend)

Characteristics

Characteristics -

This trojan captures typed keystrokes and mouse movement, and sends this information to a specified email address.  It takes small screen shots of the area directly below the mouse pointer each time a mouse button is depressed.  The purpose of this action is to steal password information where passwords are entered in by clicking on images/buttons rather than typing keystrokes.

When the trojan is run, a Window is displayed:

When the Instalar button is pressed, a message box is displayed:

The trojan copies itself to the WINDOWS directory and creates a registry run key to load itself at system startup:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
  Run "Explorer" = %trojan path%

A keyboard hooking DLL file is extracted to the WINDOWS SYSTEM directory as HDLL.DLL.  The date/time, computer name, and username are saved to a file named DATA.TXT in the current directory, which is used in the main report file.

A hidden direcotry named Excel is created.  Small screen shots are taken each time the mouse is clicked and saved to this directory.

When there are 30 images within the directory, they are compressed into an archive file (ZIP) and emailed to the author, along with information saved in the DATA.TXT file.  That message is as follows:

From: patrik [patrik123@terra.com.br]
To: patrik123@terra.com.br
Subject: %random characters%_%machine name%_user name%
X-Mailer: NetMasters SMTP Demo

Symptoms

Symptoms -

Presence of a hidden directory named Excel within the WINDOWS (%WinDir%) directory.

Method of Infection

Method of Infection -

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, etc.

Removal -

Removal -

All Users:
Use specified engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A