Threat Description

Delf.h

Details

Aliases: Delf.h, SpamTool.Win32.Delf.h, London Bombing trojan, Spam-SPM trojan, Troj/Spexta-A, Trojan.Spexta, TROJ_DONBOMB.A
Category: Malware
Type:
Platform: W32

Summary



This remotely controlled trojan appeared on July 8th, 2005, just after terrorists attacked London. It was spead with an HTML-based e-mail that contained news about explosions.



Removal



Automatic Disinfection

Allow F-Secure Anti-Virus to disinfect the relevant files.

For more general information on disinfection, please see Removal Instructions.



Technical Details



The trojan is a PE executable file 82432 bytes long, packed with UPX file compressor.

The trojan was spread in e-mail messages that looked like that:

The trojan was sent in that e-mail as a ZIPped attachment named 'LondonTerrorMovie.zip'. The trojan's file name inside the archive was:

 London Terror Movie.avi   <a lot of spaces>   Checked By Norton Antivirus.exe

When the trojan's file is run, it copies itself to Windows folder with one of the following names:

 ctflog.exe
 explore.exe
 inetinfomon.exe
 MPM.exe
 service.exe
 winlog.exe

The trojan sets read-only, hidden and system attributes to the copied file. Then the trojan adds a startup key value for its file to the Registry:

 [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
 "<filename> manager" = "%WinDir%\<filename>.exe"


OR

 [HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
 "<filename> manager" = "%WinDir%\<filename>.exe"


where %WinDir% stands for Windows directory name and &lt;filename&gt; stands for the trojan's file name, for example:

 [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
 "inetinfomon manager" = "c:\windows\inetinfomon.exe"
 
 

OR

 [HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
 "inetinfomon manager" = "c:\windows\inetinfomon.exe"
 

The trojan is used by spammers to send e-mails from infected computers. The trojan can be remotely controlled to send e-mail and to upgrade its file from Internet.

When sending spam e-mails, the trojan can generate fake sender's e-mail addresses automatically using the following string arrays:

 abrupt
 acetic
 actinolite
 anarch
 apocryphal
 blacksmith
 bolometer
 codfish
 crystallite
 dairymen
 deducible
 detour
 diffusible
 diurnal
 frostbite
 hydrochemistry
 loretta
 mentor
 reactionary
 slovakia
 french
 wooden
 Thomas
 Edward
 Kenneth
 Ronald
 Carlos
 Victor
 Oliver
 Alexandria
 Hillary
 Malinda
 Williams
 Martinez
 Torres
 Hudson
 Wagner
 Fernandez
 Curtis
 Caldwell
 Jimenez
 Mckinney
 Cummings
 Walton
 Alvarado
 Carson
 hotmail.com
 msn.com
 aol.com

The trojan uses the following fake mailer tags:

 The Bat! (v1.52f) Business
 Microsoft Outlook Express 6.00.2600.0000
 Microsoft Outlook Express 5.00.2615.200
 MIME-tools 5.503 (Entity 5.501)
 Microsoft Outlook Express 6.00.2462.0000
 Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0)
 Microsoft Outlook, Build 10.0.2616
 Microsoft Outlook, Build 10.0.2627
 QUALCOMM Windows Eudora Version 5.1
 Internet Mail Service (5.5.2650.21)
 Microsoft Outlook Express 5.00.2919.6700
 eGroups Message Poster
 AOL 7.0 for Windows US sub 118



Detection


F-Secure Anti-Virus detects this trojan with the following updates:
Detection Type: PC
Database: 2005-07-11_01



Description Created: Description and Screenshot:Alexey Podrezov and Mikko Hypponen; June 12th, 2005;


SUBMIT A SAMPLE

Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

Learn More