[virusinfo] Troj/Delbot-B

• From: "Mike" <mikebike@xxxxxxxxx>
• To: virusinfo@xxxxxxxxxxxxx
• Date: Tue, 19 Apr 2005 08:51:08 -0700

From; Sophos Alert Systeme:

Name: Troj/Delbot-B
Type: Trojan
Date: 19 April 2005

A virus identity (IDE) file which provides protection is
available now from the Sophos website, and will be incorporated
into the June 2005 (3.94) release of Sophos Anti-Virus.

Customers using EM Library, PureMessage or any of our Sophos
small business solutions will be automatically protected at
their next scheduled update.

At the time of writing, Sophos has received a small number of
reports of this Trojan from the wild.


Information about Troj/Delbot-B can be found at:
http://www.sophos.com/virusinfo/analyses/trojdelbotb.html

Troj/Delbot-B is a IRC backdoor Trojan for the Windows platform. 
Troj/Delbot-B will connect to a preconfigured server and open up a backdoor, 
allowing unauthorised remote access to remote attackers. The Trojan can receive 
commands from the attacker to control the infected computer. The Trojan can be 
instructed to: 
Download code
Participate in DDoS
Send email
Shutdown the infected system
Start and stop processes 
Troj/Delbot-B will copy itself to the windows folder as cftmon.exe and mirc.dll 
and perodically set the following registry entry in case it is removed: 
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
ctfmon
"<Windows folder>\cftmon.exe" 
Troj/Delbot-B may attempt to terminate processes associated with the following 
executables: 
'_AVPCC'
'ACKWIN32'
'AD-AWARE'
'ADMINTOOL'
'ADVXDWIN'
'AGENTA'
'AGENTSVR'
'ALERTSVC'
'ALOGSERV'
'AMON9X'
'ANTI-TROJAN'
'ANTITROJ'
'ANTIVIRUS'
'APIMONITOR'
'APLICA32'
'APVXDWIN'
'ASHDISP'
'ASHQUICK'
'ATGUARD'
'ATRO55EN'
'ATUPDATER'
'ATWATCH'
'AUTODOWN'
'AUTOTRACE'
'AVCONSOL'
'AVENGINE'
'AVGCC32'
'AVGCTRL'
'AVGSERV'
'AVGSERV9'
'AVGUARD'
'AVKPOP'
'AVKSERV'
'AVKSERVICE'
'AVKWCTL'
'AVKWCTL9'
'AVSCHED32'
'AVSYNMGR'
'AVWINNT'
'AVXGUI'
'AVXLIVE'
'AVXMONITOR9X'
'AVXMONITORNT'
'AVXQUAR'
'BD_PROFESSIONAL'
'BIDSERVER'
'BLACKD'
'BLACKICE'
'BOOTSCAN'
'BOOTWARN'
'CCEVTMGR'
'CFGINTPR'
'CFGWIZ'
'CFIADMIN'
'CFIAUDIT'
'CFINET'
'CFINET32'
'CLAW95'
'CLAW95CF'
'CLEANER'
'CLEANER3'
'CLEANPC'
'CMGRDIAN'
'CMON016'
'CONNECTIONMONITOR'
'CPFNT206'
'CWNB181'
'CWNTDWMO'
'DEFSCANGUI'
'DEFWATCH'
'DEPUTY'
'DPATROL'
'DRWEB32'
'DRWEBSCD'
'ECENGINE'
'EFPEADM'
'ESCANH95'
'ESCANHNT'
'ESCANV95'
'ESPWATCH'
'ETRUSTCIPE'
'EXANTIVIRUS-CNET'
'EXPERT'
'F-AGNT95'
'F-PROT'
'F-PROT95'
'F-STOPW'
'FAMEH32'
'FINDVIRU'
'FIREWALL'
'FLOWPROTECTOR'
'FNRB32'
'FP-WIN'
'FSAV32'
'FSAV530STBYB'
'FSAVSTRT'
'FSGK32'
'FSMA32'
'FSMB32'
'GBMENU'
'GBPOLL'
'GENERICS'
'GLADIATOR'
'GUARDDOG'
'GUARDER'
'HACKERELIMINATOR'
'HACKTRACERSETUP'
'IAMAPP'
'IAMSERV'
'IAMSTATS'
'IBMASN'
'IBMAVSP'
'ICLOAD95'
'ICLOADNT'
'ICSUPP95'
'ICSUPPNT'
'IOMON98'
'IPARMOR'
'ISRV95'
'JAMMER'
'KAVLITE40ENG'
'MCVSSHLD'
'MFW2EN'
'MGAVRTCL'
'MGAVRTE'
'MGHTML'
'MGUTIL'
'MINILOG'
'MONITOR'
'MOOLIVE'
'MPFTRAY'
'MSSMMC32'
'MWATCH'
'N32SCANW'
'NAVAPSVC'
'NAVAPW32'
'NAVLU32'
'NAVSTUB'
'NAVW32'
'NAVWNT'
'NEOWATCHLOG'
'NEOWATCHTRAY'
'NETARMOR'
'NETINFO'
'NETMON'
'NETSCANPRO'
'NETSPYHUNTER-1.2'
'NETUTILS'
'NISSERV'
'NORMIST'
'NPFMESSENGER'
'NPSSVC'
'NSCHED32'
'NTRTSCAN'
'NTXCONFIG'
'NVARCH16'
'NWSERVICE'
'NWTOOL16'
'OSTRONET'
'OUTPOST'
'PADMIN'
'PANIXK'
'PAVFIRES'
'PAVPROXY'
'PAVSRV51'
'PCCCLIENT'
'PCCGUIDE'
'PCCIOMON'
'PCCNTMON'
'PCCPFW'
'PCCWIN97'
'PCCWIN98'
'PCFWALLICON'
'PCSCAN'
'PERISCOPE'
'PERSFW'
'PFWADMIN'
'PINGSCAN'
'PLATIN'
'POP3TRAP'
'POPROXY'
'PORTDETECTIVE'
'PORTMONITOR'
'PPVSTOP'
'PRAZNA'
'PROCMAN'
'PROGRAMAUDITOR'
'PROPORT'
'PROTECTX'
'PVIEW95'
'QCONSOLE'
'QSERVER'
'QTTASK'
'RAPAPP'
'RAV7WIN'
'RAV8WIN32ENG'
'RAVMON'
'RAVWIN8'
'REALMON'
'RMVTRJAN'
'RRGUARD'
'RSHELL'
'RTVSCN95'
'RULAUNCH'
'SAFEWEB'
'SBSERV'
'SCAN32'
'SCANPM'
'SCRSCAN'
'SGSSFW32'
'SPHINX'
'SS3EDIT'
'SUPFTRL'
'SUPPORTER5'
'SWEEP95'
'SWNETSUP'
'SYMPROXYSVC'
'TASKALERT'
'TAUMON'
'TAUSCAN'
'TBSCAN'
'TDS2-NT'
'THGUARD'
'TITANIN'
'TITANINXP'
'TRJSCAN'
'TROJAN'
'TROJANHUNTER'
'TROJANTRAP3'
'TUCONF'
'TWEAK-XP'
'UMXAGENT'
'UMXLDRA'
'V530WTBYB'
'VBCMSERV'
'VBCONS'
'VBWIN9X'
'VBWINNTW'
'VETTRAY'
'VIR-HELP'
'VNLAN300'
'VPFW30S'
'VPTR AY'
'VPTRAY'
'VSCAN40'
'VSCHED'
'VSECOMR'
'VSHWIN32'
'VSMAIN'
'VSSTAT'
'WATCHDOG'
'WATCHER'
'WEBSCANX'
'WEBTRAP'
'WFINDV32'
'WGFE95'
'WIMMUN32'
'WINGATE'
'WINRECON'
'WINROUTE'
'WRADMIN'
'WRCTRL'
'WSBGATE'
'XCOMMSVR'
'XPF202EN'
'ZATUTOR'
'ZAUINST'
'ZONALM2601'
'ZONEALARM' 
Troj/Delbot-B will also drop two files to the Windows folder, 0.0(harmless) and 
br.dll(detected as Troj/Delbot-B). 

This IDE file also includes detection for:

Troj/Deldoc-B
http://www.sophos.com/virusinfo/analyses/trojdeldocb.html
Troj/PcClient-E
http://www.sophos.com/virusinfo/analyses/trojpccliente.html
Troj/Clicker-DR
http://www.sophos.com/virusinfo/analyses/trojclickerdr.html
Troj/Multidr-DK
http://www.sophos.com/virusinfo/analyses/trojmultidrdk.html
Troj/Dloader-LY
http://www.sophos.com/virusinfo/analyses/trojdloaderly.html
XM97/Delun-A
http://www.sophos.com/virusinfo/analyses/xm97deluna.html
Troj/Hobbes-A
http://www.sophos.com/virusinfo/analyses/trojhobbesa.html
Troj/MultiDr-DJ
http://www.sophos.com/virusinfo/analyses/trojmultidrdj.html
Troj/LdPinch-AV
http://www.sophos.com/virusinfo/analyses/trojldpinchav.html
Troj/Bancos-CI
http://www.sophos.com/virusinfo/analyses/trojbancosci.html
Troj/Dloader-MC
http://www.sophos.com/virusinfo/analyses/trojdloadermc.html
Troj/Dloader-MA
http://www.sophos.com/virusinfo/analyses/trojdloaderma.html
Troj/Dropper-AK
http://www.sophos.com/virusinfo/analyses/trojdropperak.html

Download the IDE file from:
http://www.sophos.com/downloads/ide/delbot-b.ide

Download all the IDE files available for the current version of 
Sophos Anti-Virus in a single compressed file. The file is
available in two formats:

Zip file:
http://www.sophos.com/downloads/ide/ides.zip

Self-extracting file:
http://www.sophos.com/downloads/ide/ides.exe

Read about how to use IDE files at
http://www.sophos.com/downloads/ide/using.html

*********** MIKE"S REPLY SEPARATOR  ***********
Mike ~ It is a good day if I learned something new.
Editor MikesWhatsNews see a sample on my web page
http://www3.telus.net/mikebike
<mikeswhatsnews-request@xxxxxxxxxxxxx?Subject=subscribe>
http://www3.telus.net/mikebike/worm_removal.htm
See my Anti-Virus pages  http://virusinfo.hackfix.org/index
<virusinfo-request@xxxxxxxxxxxxx?Subject=subscribe>
A Technical Support Alliance  and OWTA Charter Member 

Other related posts:

• » [virusinfo] Troj/Delbot-B

1. Home
2. virusinfo
3. Archive
4. 04-2005

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---