Backdoor.Delf

Printer Friendly Page

Discovered: August 07, 2002
Updated: August 07, 2002 3:03:13 PM
Systems Affected: Windows

Backdoor.Delf is a typical back door server program that allows a remote user to control the compromised system. It will also terminate the processes of several antivirus and security packages.


Technical Description

Backdoor.Delf is a back door server program that allows a remote attacker to control the compromised system. It also sends the compromised user's Windows and dial-up passwords to the remote attacker.

When the back door is executed, it will copy itself to the following file:
%windir%\System32\Scanvegw.exe

It then creates the following registry entries so that it executes every time Windows starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\Windows Service

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce\Windows Service

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Service

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Windows Service

The back door also terminates the processes of the following antivirus and security programs:
_Avp32.exe
_Avpcc.exe
_Avpm.exe
Avp32.exe
Avpcc.exe
Avconsol.exe
Avpm.exe
Kavi.exe
Ants.exe
Anti-Trojan.exe
Avpexec.exe
Alertsvc.exe
Amon.exe
Avp.exe
Spider.exe
Drweb32w.exe
Spidernt.exe
Drwebwcl.exe
Zapro.exe
Smc.exe
Navapw32.exe
Navw32.exe
Icload95.exe
Icmon.exe
Icsupp95.exe
Icloadnt.exe
Icsuppnt.exe
Iface.exe
Iamapp.exe
Iamserv.exe
Frw.exe
Blackice.exe
Blackd.exe
Zonealarm.exe
Vsmon.exe
Wrctrl.exe
Wradmin.exe
Cleaner3.exe
Cleaner.exe
Tca.exe
Moolive.exe
Lockdown2000.exe
Sphinx.exe
Vshwin32.exe
Vsecomr.exe
Webscanx.exe
Vsstat.exe