Eng
  1. Skip to navigation
  2. Skip to content
  3. Skip to sidebar


Delude


Aliases:


Delude
Trojan.BAT.Startpage.a, QHosts-1, QHosts-1.dr

Malware
Trojan
W32

Summary

Delude is a trojan that is available on a web page. The web page contains a code that uses a vulnerability in the Internet Explorer (MS03-032) to execute.

More information about the vulnerability is available from Microsoft at:

http://www.microsoft.com/security/security_bulletins/ms03-032.asp

This vulnerability as well as some others has been fixed within October 2003 Cumulative Patch for Internet Explorer available at:

http://www.microsoft.com/windows/ie/downloads/critical/828750/default.asp



Disinfection & Removal

Automatic Disinfection

Allow F-Secure Anti-Virus to disinfect the relevant files.

For more general information on disinfection, please see Removal Instructions.



Technical Details


Variant:Delude.A

The HTA code available on a web page downloads a file "partyboy.exe" from an ftp site and runs it. This file is is packed with UPX. It is a batch file which was compiled to executable binary (".exe") using a BatToExe tool.

When executed, it changes the Internet Explorer start page to find-now.info. It prevents access to the most major search engines such as Google, Yahoo, Lycos, MSN and AltaVista. To do this it replaces the following file:

  • %windir%\system32\drivers\etc\hosts

where %windir% is the Windows installation directory.


Variant:Delude.B

This new variant is similar to Delude.A, but it uses a file AOLFIX.EXE instead of Partyboy.exe and it changes the name server address from the registry, causing that the DNS requests are directed onto wrong host. The IP address of this host is 216.127.92.38.

The change is made via a registry file ("o.reg") that is dropped into Windows installation directory, and executed. Additionally it will replace the hosts file similar way like Delude.A, while the content of the replaced hosts file is different.

Delude.B changes the start page to Google search engine.

In addition Delude.B checks is the operating system Windows NT, 2000 or XP. In this case it will drop and execute another registry file ("o2.reg") as well as a script ("o.vbs"). These attempt to make sure that the name server changes have been applied to the system.

The changes made to the Windows DNS settings can be seen and restored from the TCP/IP properties.

All registry and script files that Delude.B drops are deleted after execution.

At the time of writing this description the above mentioned patch MS03-032 does not fix the vulnerability that Delude uses.


Variant:Delude.E

This variant is a modification of the Delude.B. It is otherwise functionally identical, but it uses two nameservers - 69.57.146.14 and 69.57.147.17.



Detection

Detection in F-Secure Anti-Virus was published on September 10th, 2003 in update:

Detection Type: PC
Database: 2003-09-10_0_03

Detection for Delude.B in F-Secure Anti-Virus was published on October 2nd, 2003 in update:

Detection Type: PC
Database: 2003-10-02_02



Technical Details: Katrin Tocheva and Sami Rautiainen, September 10th - October 3rd, 2003



Submit a sample




Wondering if a file or URL is malicious? Submit a sample to our Lab for analysis via the Sample Analysis System (SAS)

Give And Get Advice




Give advice. Get advice. Share the knowledge on our free discussion forum.

Scan and clean your PC




F-Secure Online Scanner will scan and clean your PC in just a few minutes for free