Backdoor.Win32.Delf.as
(Backdoor.Win32.Delf.as)

by ?

Original name unknown

Written in Delphi, compressed with UPX

more in this category


Backdoor.Win32.Delf.as:

dropped file:
c:\WINDOWS\kernel32.exe
size: 235,520 bytes 

startup:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon "Shell"
old data: Explorer.exe 
new data: explorer.exe C:\WINDOWS\kernel32.exe 

HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows "load"
old data: 
new data: C:\WINDOWS\kernel32.exe 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "Windows"
data: C:\WINDOWS\kernel32.exe 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices "Windows"
data: C:\WINDOWS\kernel32.exe 

port: 113 TCP

attempts to connect to an IRC Server

tested on Windows XP
April 01, 2005

MegaSecurity