Subscriptions | RSS Feeds | Discussions | Polls | Site Map




All Threats

Viruses

Hackers

Spam
Whole site    Viruses
  
Virus Encyclopedia
Riskware
Alerts
Analysis
News
Glossary
Weblog


Malware Environment
Malware Descriptions
Who Creates Malware
History of Malware
Malware Trends
If Your Computer Is Infected

 
About Hackers
About Hackers

Find out more about hackers and vulnerabilities in our About Hackers and Vulnerabilities section.
About Spam
About Spam

Read about spam and spammers in our About Spam section.

 		 

  Home / Viruses / Virus Encyclopedia

SpamTool.Win32.Delf.h

Aliases
SpamTool.Win32.Delf.h (Kaspersky Lab) is also known as: Spam-SPM (McAfee),   Trojan.MailSpam (Doctor Web),   Troj/Spexta-A (Sophos),   TROJ_DONBOMB.A (Trend Micro),   TR/Londrop (H+BEDV),   Trojan.DonBomb.A (SOFTWIN),   Trj/Bobin.A (Panda),   Win32/SpamTool.Delf.H (Eset)
Detection added Jul 13 2005
Description added Feb 14 2006
Behavior SpamTool
Platform Win32
Technical details

This program is designed to send spam to email addresses harvested from the victim computer. The program is a Windows PE EXE file 82432 bytes in size, written in Delphi and packed using UPX. The unpacked file is 232448 bytes in size.

Installation

SpamTool.Win32.Delf.h arrives as an attachment to infected messages.

Infected messages:

Sender:

CNN Newsletter

Message subject:

TERROR HITS LONDON

Attachment name:

LondonTerrorMovie.zip

The attached archive contains the following file:

London Terror Moovie.avi <multiple spaces> Checked By Norton Antivirus.exe

Once launched, the program copies itself to the Windows root directory under one of the following names:

  • %Windir%\ctflog.exe
  • %Windir%\explore.exe
  • %Windir%\inetinfomon.exe
  • %Windir%\MPM.exe
  • %Windir%\service.exe
  • %Windir%\winlogon.exe

In order to make it more difficult for the files to be detected, it will be assigned the following attributes: Hidden, System, ReadOnly.

SpamTool.Win32.Delf.h then registers itself in the system registry, ensuring that it will be launched each time Windows is rebooted on the victim machine.

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
 "<file name without extension> manager" = "%Windir%\<file name>"

Payload

This program can be used to send to spam to email addresses harvested from the victim computer, and also to addresses created from random combinations of the elements below:

Name:

  • about
  • abrupt
  • acetic
  • actinolite
  • Alana
  • Alexandria
  • Alvarado
  • anarch
  • apocryphal
  • blacksmith
  • blown
  • bolometer
  • Caldwell
  • Carlos
  • Carson
  • codfish
  • crystallite
  • Cummings
  • Curtis
  • dairymen
  • David
  • deducible
  • Dee
  • detour
  • diffusible
  • diurnal
  • Edward
  • Ellis
  • Fernandez
  • french
  • frostbite
  • Hillary
  • Hudson
  • hydrochemistry
  • Ivan
  • Jimenez
  • Kenneth
  • loretta
  • Luisa
  • mail-hub
  • mail-relay
  • Malinda
  • Mark
  • Martinez
  • Mccoy
  • Mckinney
  • mentor
  • Oliver
  • reactionary
  • relay
  • relay1
  • relay2
  • Ronald
  • Scott
  • Sharp
  • slovakia
  • Thomas
  • Torres
  • Victor
  • Wagner
  • Walton
  • Williams
  • wooden
  • zeus

Domain:

  • @aol.com
  • @hotmail.com
  • @msn.com
  • @yahoo.com

The program is also able to download other malicious programs via the Internet and launch them on the victim machine.

 		 

Copyright © 1996 - 2010
Kaspersky Lab
Industry-leading Antivirus Software
All rights reserved
 

Email: webmaster@viruslist.com