Delude is a trojan that is available on a web page. The web page contains a
code that uses a vulnerability in the Internet Explorer (MS03-032) to
execute.
The HTA code available on a web page downloads a file "partyboy.exe" from
an ftp site and runs it. This file is is packed with UPX. It is a batch file
which was compiled to executable binary (".exe") using a BatToExe tool.
When executed, it changes the Internet Explorer start page to find-now.info.
It prevents access to the most major search engines such as Google, Yahoo,
Lycos, MSN and AltaVista. To do this it replaces the following file:
%windir%\system32\drivers\etc\hosts
where %windir% is the Windows installation directory.
Detection in F-Secure Anti-Virus was published on September 10th, 2003 in
update:
This new variant is similar to Delude.A, but it uses a file
AOLFIX.EXE instead of Partyboy.exe and it changes the name server
address from the registry, causing that the DNS requests are
directed onto wrong host. The IP address of this host is 216.127.92.38.
The change is made via a registry file ("o.reg") that is dropped into
Windows installation directory, and executed. Additionally it will replace
the hosts file similar way like Delude.A, while the content of the replaced
hosts file is different.
Delude.B changes the start page to Google search engine.
In addition Delude.B checks is the operating system Windows NT,
2000 or XP. In this case it will drop and execute another
registry file ("o2.reg") as well as a script ("o.vbs"). These
attempt to make sure that the name server changes have been
applied to the system.
The changes made to the Windows DNS settings can be seen and
restored from the TCP/IP properties.
All registry and script files that Delude.B drops are deleted
after execution.
At the time of writing this description the above mentioned patch
MS03-032 does not fix the vulnerability that Delude uses.
Detection in F-Secure Anti-Virus was published on October 2nd, 2003 in
update:
