[/QUOTE]Backdoor.Win32.Delf.vb[QUOTE]
This Trojan program provides a remote malicious user with full control over the infected machine. The Trojan itself is a Windows PE EXE file, written in Borland Delphi and packed using ASPack. The packed file is approximately 293KB in size, and the unpacked file is approximately 795KB in size.
Once launched, the program creates a file called ?glduid.dll? in the Windows system directory:
%System%\glduid.dll
The program functions either as a standard application, or, if the victim machine is running Windows NT/2000/XP, as a service called ?Network Host Controller?.
If it is running as a service, the program will create the following registry branch:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControl Set\Services\nethost]
If the victim machine is running Windows 95.98.ME, the Trojan will create the following registry value:
[HKCU\Software\Microsoft\Windows	 2;CurrentVersion\Run]
Network Host Controller
This ensures that the backdoor will be executed each time Windows is rebooted.
The backdoor connects to an IRC server via TCP port 3195 in order to receive commands from the remote malicious user.
Once the program has established a connection to an IRC server, the remote malicious user can cause the Trojan to scan other computers for open network resources, and for unpatched common vulnerabilities such as LSASS, DCOM, Microsoft IIS Extended Unicode Traversal vulnerability. The Trojan will be able to install itself on vulnerable machines.
The remote malicious user is able to download and install new versions of the Trojan, launch UDP, SYN and ICMP attacks on the infected computer, download, launch and delete files, terminate processes and access information about the infected computer and its users.
This Trojan program provides a remote malicious user with full control over the infected machine. The Trojan itself is a Windows PE EXE file, written in Borland Delphi and packed using ASPack. The packed file is approximately 293KB in size, and the unpacked file is approximately 795KB in size.
Once launched, the program creates a file called ?glduid.dll? in the Windows system directory:
%System%\glduid.dll
The program functions either as a standard application, or, if the victim machine is running Windows NT/2000/XP, as a service called ?Network Host Controller?.
If it is running as a service, the program will create the following registry branch:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControl Set\Services\nethost]
If the victim machine is running Windows 95.98.ME, the Trojan will create the following registry value:
[HKCU\Software\Microsoft\Windows	 2;CurrentVersion\Run]
Network Host Controller
This ensures that the backdoor will be executed each time Windows is rebooted.
The backdoor connects to an IRC server via TCP port 3195 in order to receive commands from the remote malicious user.
Once the program has established a connection to an IRC server, the remote malicious user can cause the Trojan to scan other computers for open network resources, and for unpatched common vulnerabilities such as LSASS, DCOM, Microsoft IIS Extended Unicode Traversal vulnerability. The Trojan will be able to install itself on vulnerable machines.
The remote malicious user is able to download and install new versions of the Trojan, launch UDP, SYN and ICMP attacks on the infected computer, download, launch and delete files, terminate processes and access information about the infected computer and its users.