Threat Description



Category: Malware
Platform: W32
Aliases: Delf.h, SpamTool.Win32.Delf.h, London Bombing trojan, Spam-SPM trojan, Troj/Spexta-A, Trojan.Spexta, TROJ_DONBOMB.A


This remotely controlled trojan appeared on July 8th, 2005, just after terrorists attacked London. It was spead with an HTML-based e-mail that contained news about explosions.


Automatic action

Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.

More scanning & removal options

More information on scanning or removal options is available in the documentation for your F-Secure security product on the Downloads section of our Home - Global site.

You may also refer to the Knowledge Base on the F-Secure Community site for more information.

Contact Support

For further assistance, F-Secure customers can request support online via the Request support or the Chat forms on our Home - Global site.

Technical Details

The trojan is a PE executable file 82432 bytes long, packed with UPX file compressor.

The trojan was spread in e-mail messages that looked like that:

The trojan was sent in that e-mail as a ZIPped attachment named ''. The trojan's file name inside the archive was:

 London Terror Movie.avi      Checked By Norton Antivirus.exe  

When the trojan's file is run, it copies itself to Windows folder with one of the following names:

 ctflog.exe  explore.exe  inetinfomon.exe  MPM.exe  service.exe  winlog.exe  

The trojan sets read-only, hidden and system attributes to the copied file. Then the trojan adds a startup key value for its file to the Registry:

 [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]  " manager" = "%WinDir%\.exe"   


 [HKLM\Software\Microsoft\Windows\CurrentVersion\Run]  " manager" = "%WinDir%\.exe"   

where %WinDir% stands for Windows directory name and <filename> stands for the trojan's file name, for example:

 [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]  "inetinfomon manager" = "c:\windows\inetinfomon.exe"    


 [HKLM\Software\Microsoft\Windows\CurrentVersion\Run]  "inetinfomon manager" = "c:\windows\inetinfomon.exe"   

The trojan is used by spammers to send e-mails from infected computers. The trojan can be remotely controlled to send e-mail and to upgrade its file from Internet.

When sending spam e-mails, the trojan can generate fake sender's e-mail addresses automatically using the following string arrays:

 abrupt  acetic  actinolite  anarch  apocryphal  blacksmith  bolometer  codfish  crystallite  dairymen  deducible  detour  diffusible  diurnal  frostbite  hydrochemistry  loretta  mentor  reactionary  slovakia  french  wooden  Thomas  Edward  Kenneth  Ronald  Carlos  Victor  Oliver  Alexandria  Hillary  Malinda  Williams  Martinez  Torres  Hudson  Wagner  Fernandez  Curtis  Caldwell  Jimenez  Mckinney  Cummings  Walton  Alvarado  Carson  

The trojan uses the following fake mailer tags:

 The Bat! (v1.52f) Business  Microsoft Outlook Express 6.00.2600.0000  Microsoft Outlook Express 5.00.2615.200  MIME-tools 5.503 (Entity 5.501)  Microsoft Outlook Express 6.00.2462.0000  Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0)  Microsoft Outlook, Build 10.0.2616  Microsoft Outlook, Build 10.0.2627  QUALCOMM Windows Eudora Version 5.1  Internet Mail Service (5.5.2650.21)  Microsoft Outlook Express 5.00.2919.6700  eGroups Message Poster  AOL 7.0 for Windows US sub 118  


F-Secure Anti-Virus detects this trojan with the following updates:

Detection Type: PC
Database: 2005-07-11_01

Description Details: Description and Screenshot:Alexey Podrezov and Mikko Hypponen; June 12th, 2005;