Home / malware

PDF

VirTool:Win32/DelfInject

First posted on 07 October 2013.
Source: Microsoft

Aliases :

There are no other names known for VirTool:Win32/DelfInject.

Explanation :

Threat behavior

Installation

VirTool:Win32/DelfInject drops itself using a random file name (such as "xpxnqdv.exe") in the %APPDATA%\Microsoft\Windows folder.

It modifies the following registry entry so that it runs each time you start your PC:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "<random value>" (for example, "B5XWlRZ5/ql2chDjTA")
WIth data: "%AppData%\microsoft\windows\xpxnqdv.exe"

It then runs the legitimate file "<system folder>\rundll32.exe" and injects a thread into it to delete its originally running EXE file.

Before it runs, VirTool:Win32/DelfInject checks your PC for certain security software. If any are found, it stops running.

Payload

Downloads files

VirTool:Win32/DelfInject injects code into "svchost.exe" so it can connect to certain servers and download files. One of the servers that it is known to connect to is "cate<removed>ksys.info".

At the time of this analysis the files are not available for download.



Analysis by Mihai Calota

Symptoms

Alerts from your security software may be the only symptom.

Last update 07 October 2013

 

TOP