Home / malware Trojan.Dropper.Delf.BAS
First posted on 21 November 2011.
Source: BitDefenderAliases :
There are no other names known for Trojan.Dropper.Delf.BAS.
Explanation :
This file usually comes bundled with other types of malware. The file analyzed came with Backdoor.Agent.ZHQ. When executed the dropper first resolves its imports and after that checks to see if it is being ran by a virus analyst. It checks to see if the value HKCUControl PaneSwapMouseButtons is set, it checks for the existence of the folder Parallels tools in C:Program FilesParallels, checks to see if the file name is file.exe or sample.exe and finally checks to see if it can obtain an handle to SpieDll.dll. If none of the condition was fulfilled, it goes on decrypting the executable files from its resource section.
For each decompressed file it creates a suspended process and overwrites the image of the process with the file which it just decompressed. It then resumes the process.Last update 21 November 2011