Backdoor.Win32.Delf.zc

(Backdoor.Win32.Delf.zc)
by Gabman

Written in Delphi, compressed with FSG

Made in Thailand


dropped files:
c:\WINDOWS\mshost.exe    Size: 474,897 bytes 
c:\WINDOWS\restore.vbs   Size: 179 bytes 
c:\WINDOWS\xpcore.dll    Size: 50,688 bytes 

deleted:
c:\WINDOWS\system32\Restore\MachineGuid.txt

port: 7000, 7001, 7002 TCP

added to registry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "Service"
data: C:\WINDOWS\mshost.exe

HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MCHINJDRV\0000\Control
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\mchInjDrv
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MCHINJDRV
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mchInjDrv
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows "XP_CORE"


tested on Windows XP
October 21, 2005

MegaSecurity