Home / malware TrojanDownloader:Win32/Delf.GK
First posted on 13 May 2013.
Source: MicrosoftAliases :
TrojanDownloader:Win32/Delf.GK is also known as Win32/Xema.worm.10752.Q (AhnLab), W32/Downldr2.CVY (Command), Email-Worm.Win32.Agent.c (Kaspersky), Virus.Win32.Zapchast.DA (Ikarus).
Explanation :
Installation
When it runs, the trojan creates a file named explorer.exe, and injects itself into this file in an effort to hide its presence on your computer.
If it finds older versions of itself on your computer, it deletes them. These files may have any of the following names:
- %windir%\system32\logunit.sys
- %windir%\system32\msnworm.exe
- %windrive%\foto_celular.scr
- %windrive%\foto_celular.zip
Payload
Downloads files
TrojanDownloader:Win32/Delf.GK attempts to download files, often other malware or malware-updates to your computer.
It attempts to download install.exe from myserver.memebot.com.
If this download attempt fails, it tries to download setup.exe from myfotolog.memebot.com.
If this download attempt fails, it tries to download movie.wmv from sefudeu.memebot.com.
The downloaded file will be saved as %windir%\system32\msnworm.exe.
On successful download, the trojan will run this downloaded file.
Analysis by Marian Radu
Last update 13 May 2013
