Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Win32/Spy.Delf.OKH

Aliases:W32/Banload.E.gen!Eldorado (F-Prot), Trojan.PWS.Banker.origin (Dr. Web) 
Type of infiltration:Trojan  
Size:389120 B 
Affected platforms:Microsoft Windows 
Signature database version:5371 (20100816) 

Short description

Win32/Spy.Delf.OKH is a trojan that steals sensitive information. The trojan can send the information to a remote machine.

Installation

When executed, the trojan creates the following files:
  • C:WINDOWSsystem32prikas.bat
  • C:WINDOWSsystem32heslo.bat
  • C:WINDOWSsystem32formatd.bat
  • C:WINDOWSsystem32format.bat
The trojan creates the following folders:
  • C:WINDOWSsystem32pistoj
The following file is dropped into the C:WINDOWSsystem32pistoj folder:
  • nazov.txt
It downloads the other part of the infiltration.

The file is stored in the following location:
  • C:WINDOWSsystem32pistojfrajerka.exe
In order to be executed on every system start, the trojan sets the following Registry entry:
  • [HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersion
    Run]
    "frajerka" = "C:WINDOWSsystem32pistojfrajerka.exe"

Other information

The trojan connects to the following addresses:
  • http://www.hackeri.tym.sk
It tries to download several files from the address.

The files are saved into the following folder:
  • C:WINDOWSsystem32pistoj
The following filenames are used:
  • formatd.txt
  • format.txt
  • spusti.txt
  • frajerka.exe
The trojan may set the following Registry entries:
  • [HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersion
    Run]
    "heslo" = "C:WINDOWSsystem32heslo.bat"
    "ImagePath" = "%homedrive%WINDOWSsystem_32.bat"
    "formatd" = "C:WINDOWSsystem32formatd.bat"
    "format" = "C:WINDOWSsystem32format.bat"
The trojan may create the following files:
  • %homedrive%WINDOWSy.reg
  • %homedrive%WINDOWSsystem_32.bat
The trojan may delete files stored in the following folders:
  • D:
  • %homedrive%
Logon passwords of some users may be changed to the following:
  • mojkar
The trojan collects the following information:
  • computer name
The trojan sends the information via e-mail. The trojan contains a list of (1) addresses.