Virus

W32/Deloder.A

Analysis

  • Virus is 32 bit and has a compressed size of 745,984 bytes
  • When executed, virus searches the network by implementing instructions across available SMB client protocol, seeking other client targets which may have shares on IPC$ (typically Windows 2000/XP), C$ or Admin$
  • Virus attempts to gain access to these systems by attempting to guess passwords using a table of names to try, in a “brute-force” method – once virus gains access to the target, it attempts to copy itself to these target systems as “dvldr32.exe” into a hard-coded path
  • If virus is executed either by its own initiated process or manually, it will extract other files, including a non-malicious tool named “PSEXEC.EXE” and also a remote access Trojan named “INST.EXE” – these files will be extracted in the same folder as the virus resides
  • The virus may copy additional files into the Windows\Fonts folder in an effort to conceal itself –

    c:\WINNT\Fonts\explorer.exe
    c:\WINNT\Fonts\omnithread_rt.dll
    c:\WINNT\Fonts\rundll32.exe
    c:\WINNT\Fonts\VNCHooks.dll

  • Virus may also modify the registry to load at Windows startup –

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
    CurrentVersion\Run\
    "messnger" = [path]\dvldr32.exe
    "Explorer" = Windows\Fonts\explorer.exe
    "TaskMan" = Windows\Fonts\rundll32.exe