Backdoor.Win32.Delf.re
(Backdoor.Win32.Delf.re)

by ?

Original name unknown

Written in Delphi


more in this category


dropped files:
c:\WINDOWS\system32\notepd.exe   Size: 113,152 bytes 
c:\WINDOWS\system32\QoSRSVP.exe  Size: 113,152 bytes 
c:\WINDOWS\system32\QQLdr.exe    Size: 113,152 bytes 

added to registry:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\netcache
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_RDPWD
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_TDTCP
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\RDPWD\Enum
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\TDTCP\Enum
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\l
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_RDPWD
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TDTCP
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RDPWD\Enum
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TDTCP\Enum

HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows "load"
old data: 
new data: C:\WINDOWS\System32\QoSRSVP.exe 
	
HKEY_CLASSES_ROOT\txtfile\shell\open\command "(Default)"
old data: %SystemRoot%\system32\NOTEPAD.EXE %1 
new data: C:\WINDOWS\System32\notepd.exe %1 



tested on Windows XP
July 25, 2005

MegaSecurity