Backdoor.Win32.Delf.gp
(Backdoor.Win32.Delf.gp)

by ?

Original Filename unknown

Written in Delphi

more in this category


shown by server

dropped files:
c:\WINDOWS\SYSTEM\winupdate.exe   size: 61.820 bytes 
c:\WINDOWS\SYSTEM\z_ins.lg        size: 49 bytes 

port: 1080, 32123 TCP

added to registry:
HKEY_LOCAL_MACHINE\Software\Microsoft\Kernel

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run "winupdate.exe"
data: C:\WINDOWS\SYSTEM\winupdate.exe
  
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices "winupdate.exe"
data: C:\WINDOWS\SYSTEM\winupdate.exe 

After reboot the backdoor does try to connect to an FTP server.

MegaSecurity