F-Secure: Be Sure
Main
F-Secure Logo - Be Sure
Select local site


Privacy Policy
Legal Notices
Contact Us

F-Secure Virus Descriptions : Delf.h

[Summary] | [Detailed Description] | [Detection]



NAME:Delf.h
ALIAS:SpamTool.Win32.Delf.h, London Bombing trojan, Spam-SPM trojan
ALIAS:Troj/Spexta-A, Trojan.Spexta, TROJ_DONBOMB.A
SIZE:82432

Summary

This remotely controlled trojan appeared on July 8th, 2005, just after terrorists attacked London. It was spead with an HTML-based e-mail that contained news about explosions.

Detailed Description

The trojan is a PE executable file 82432 bytes long, packed with UPX file compressor.

The trojan was spread in e-mail messages that looked like that:

The trojan was sent in that e-mail as a ZIPped attachment named 'LondonTerrorMovie.zip'. The trojan's file name inside the archive was: 

 London Terror Movie.avi   <a lot of spaces>   Checked By Norton Antivirus.exe

When the trojan's file is run, it copies itself to Windows folder with one of the following names: 

 ctflog.exe
 explore.exe
 inetinfomon.exe
 MPM.exe
 service.exe
 winlog.exe

The trojan sets read-only, hidden and system attributes to the copied file. Then the trojan adds a startup key value for its file to the Registry: 

 [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
 "<filename> manager" = "%WinDir%\<filename>.exe"

OR 

 [HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
 "<filename> manager" = "%WinDir%\<filename>.exe"

where %WinDir% stands for Windows directory name and <filename> stands for the trojan's file name, for example: 

 [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
 "inetinfomon manager" = "c:\windows\inetinfomon.exe"

OR 

 [HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
 "inetinfomon manager" = "c:\windows\inetinfomon.exe"

The trojan is used by spammers to send e-mails from infected computers. The trojan can be remotely controlled to send e-mail and to upgrade its file from Internet.

When sending spam e-mails, the trojan can generate fake sender's e-mail addresses automatically using the following string arrays: 

 abrupt
 acetic
 actinolite
 anarch
 apocryphal
 blacksmith
 bolometer
 codfish
 crystallite
 dairymen
 deducible
 detour
 diffusible
 diurnal
 frostbite
 hydrochemistry
 loretta
 mentor
 reactionary
 slovakia
 french
 wooden


 Thomas
 Edward
 Kenneth
 Ronald
 Carlos
 Victor
 Oliver
 Alexandria
 Hillary
 Malinda
 Williams


 Martinez
 Torres
 Hudson
 Wagner
 Fernandez
 Curtis
 Caldwell
 Jimenez
 Mckinney
 Cummings
 Walton
 Alvarado
 Carson


 hotmail.com
 msn.com
 aol.com

The trojan uses the following fake mailer tags: 

 The Bat! (v1.52f) Business
 Microsoft Outlook Express 6.00.2600.0000
 Microsoft Outlook Express 5.00.2615.200
 MIME-tools 5.503 (Entity 5.501)
 Microsoft Outlook Express 6.00.2462.0000
 Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0)
 Microsoft Outlook, Build 10.0.2616
 Microsoft Outlook, Build 10.0.2627
 QUALCOMM Windows Eudora Version 5.1
 Internet Mail Service (5.5.2650.21)
 Microsoft Outlook Express 5.00.2919.6700
 eGroups Message Poster
 AOL 7.0 for Windows US sub 118


Back to the Top


Detection

F-Secure Anti-Virus detects this trojan with the following updates:

[FSAV_Database_Version]

Version=2005-07-11_01


Back to the Top


Description and Screenshot: Alexey Podrezov and Mikko Hypponen; June 12th, 2005;

F-Secure Corporation