Backdoor - Delf: Threat Assessment

Backdoor.
Delf
Risk Level 1: Very Low
Discovered: August 5, 2002
Updated: February 13, 2007 11:39:53 AM
Type: Trojan Horse
Systems Affected: Windows 2000, Windows NT, Windows XP
Backdoor.Delf is a Backdoor Trojan that allows unauthorized access to the infected computer. It will also stop the process
of some antivirus and firewall software. Backdoor.Delf works only on Windows NT, 2000, and XP systems.
Threat Assessment
Wild
 Wild Level: Low

 Number of Infections: 0 - 49
 Number of Sites: 0 - 2
 Geographical Distribution: Low
 Threat Containment: Easy
 Removal: Easy
Damage
 Damage Level: Low
Distribution
 Distribution Level: Low
Writeup By: Gor Nazaryan
1. Update the virus definitions, run a full system scan, and delete all files that are detected as Backdoor.Delf.
2. Delete the value
Backdoor.Graybird!gen
Discovered: May 11, 2007
Updated: May 11, 2007 3:56:24 PM

Type: Trojan
Systems Affected: Windows 98, Windows 95, Windows XP, Windows Me, Windows NT, Windows Server 2003, Windows 2000
Backdoor.Graybird!gen is a generic detection that detects variants of the Backdoor.Graybird family of Trojans.
Threat Assessment
Wild
 Wild Level: Low

 Removal: Easy
Damage

 Payload: Opens a back door on the compromised computer.
Distribution
Writeup By: Liam O Murchu
1. Disable System Restore (Windows Me/XP).

2. Update the virus definitions.
3. Run a full system scan.
Backdoor.Trojan
Discovered: February 11, 1999
Updated: May 6, 2002 3:37:23 PM
Type: Trojan
Infection Length: Varies
Systems Affected: Windows 98, Windows 95, Windows XP, Windows Me, Windows Vista, Windows NT, Windows Server 2003,
Windows 2000
Backdoor.Trojan is a generic detection for Trojan horses that attempt to open a back door on compromised computers.
Threat Assessment
Wild
 Wild Level: Low

 Removal: Easy
Damage
 Damage Level: Medium

 Payload: Opens a back door
Distribution

 Disable System Restore (Windows Me/XP).
 Update the virus definitions.
 Run a full system scan.
Bloodhound.Exploit.281
Updated: October 13, 2009 7:48:39 AM
Also Known As: Trojan.Giframe [Symantec]
Type: Trojan, Worm
Systems Affected: Windows 2000, Windows NT, Windows Server 2003, Windows Vista, Windows XP
Bloodhound.Exploit.281 is a heuristic detection for files attempting to exploit the Microsoft GDI+ GIF File Parsing Remote
Code Execution Vulnerability (BID 31020).
Note: Virus definitions dated October 13, 2009 or earlier detect this threat as Trojan.Giframe.
Threat Assessment
Wild
 Wild Level: Low

 Removal: Easy
Damage
Distribution

Downloader
Discovered: June 8, 2001
Type: Trojan Horse
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows XP
Downloader connects to the Internet and downloads other Trojan horses or components.
Note: Virus definitions dated June 1, 2006 or earlier may detect this threat as Download.Trojan.
Threat Assessment
Wild
 Wild Level: Low

 Removal: Easy
Damage
Distribution

3. Restart the computer in Safe mode (Windows 95/98/Me/2000/XP) or VGA mode (Windows NT).
4. Run a full system scan and delete all the files detected as Downloader.
5. Clear Internet Explorer History and files, if needed.
Hacktool.Keylogger
Type: Hack Tool
Risk Impact: Low
File Names: Hook.dll
Behavior
Hacktool.Keylogger is a hacktool that logs keystrokes on the compromised computer.
Symptoms
The presence of one or more files detected as Hacktool.Keylogger.
Transmission
This hacktool can be installed as part of a threat, such as a Trojan horse.

2. Run a full system scan and delete all the files detected as Hacktool.Keylogger.
IRC Trojan
Updated: June 7, 2007 9:58:19 PM
Type: Trojan
Infection Length: varies
Systems Affected: Windows 98, Windows 95, Windows XP, Windows Me, Windows NT, Windows Server 2003, Windows 2000
IRC Trojan is a general detection for Trojan horses that target compromised computers with Internet Relay Chat (IRC)
installed.
Threat Assessment
Wild
 Wild Level: Low

 Removal: Easy
Damage

 Payload: Opens a back door.
 Releases Confidential Info: May steal confidential system information as well as passwords.
 Degrades Performance: May shutdown and restart computer.
Distribution

Infostealer.Gampass
Discovered: November 12, 2006
Updated: March 16, 2007 7:51:32 AM

Also Known As: LIneage YI [Computer Associates], Bloodhound.KillAV [Symantec]
Type: Trojan
Windows 2000
Infostealer.Gampass is a generic detection for a Trojan horse that steals online game accounts, such as Lineage,
Ragnarok online, Rohan, and Rexue Jianghu.
Note: Virus definitions dated November 17, 2006 or later may detect this threat as Bloodhound.KillAV.
Threat Assessment
Wild
 Wild Level: Low

 Removal: Easy
Damage
Distribution
Writeup By: Kaoru Hayashi

4. Delete any values added to the registry.
JS.Exception.Exploit
Risk Level 2: Low
Updated: February 13, 2007 12:01:12 PM

Type: Trojan Horse
CVE References: CVE-2000-1061
JS.Exception.Exploit is a detection for an exploit that allows Java applets to perform various actions on your system if you
are using an older or unpatched version of Microsoft Internet Explorer.
In many cases, JS.Exception.Exploit may perform simple actions such as changing your Internet Explorer home page.
(This is one of the most common uses of this exploit.) It has been reported, but not confirmed, that some adware programs
use JS.Exception.Exploit to do this. As a result, your Symantec antivirus program may detect JS.Exception.Exploit when
the adware program displays a pop-up ad that uses the exploit.
IMPORTANT:
If your Symantec antivirus program alerts you to JS.Exception.Exploit, this means that it has stopped the exploit and
prevented it from running. It does not mean that your computer is "infected" with this threat. Rather, it means that the
antivirus program has stopped it. Because the exploit is usually not on your computer, in most cases you will not be able
to "delete" it, since there is nothing to delete.
To be sure that your computer is free of currently-known threats, we suggest that you run LiveUpdate and then run a full
system scan.
If you continue to receive alerts when pop-up ads are displayed, you need to determine what adware you have installed on
your computer, then disable or remove it. You may need to contact your computer vendor for assistance in identifying and
disabling advertising software. You can also obtain and run programs that are designed to detect and remove adware.
Threat Assessment
Wild
 Wild Level: High

 Number of Infections: More than 1000
 Number of Sites: More than 10
 Geographical Distribution: High
 Removal: Easy
Damage
Distribution

Writeup By: Patrick Nolan

2. Run a full system scan and delete all the files detected as JS.Exception.Exploit.
3. Delete the value that was added to the registry.
Trojan Horse
Updated: August 15, 2007 3:51:25 PM
Also Known As: Trojan-Spy.HTML.Smitfraud.c [Kaspersky], Phish-BankFraud.eml.a [McAfee], Trj/Citifraud.A [Panda Software],
generic5 [AVG]
Type: Trojan
Windows 2000
Trojan Horse is a generic detection for various Trojan horse programs.
Norton Internet Security/Norton Internet Protection users

If you are using either of these Symantec firewall programs, the name that the Trojan Block rule uses to prevent the Trojan
from being downloaded onto your computer is different than the name that Norton AntiVirus uses to detect the same
threat, if it were actually run on your computer or received in an email.
Norton Internet Security/Norton Internet Protection will block Trojan horse from being downloaded onto your computer
using the Block Rule GateCrasher.
Threat Assessment
Wild
 Wild Level: Low

 Removal: Easy
Damage

Distribution

 Run a full system scan and delete all the files detected.
 Delete any values added to the registry.
 Edit the Win.ini file.
 Edit the System.ini file.
 Clear the Temporary Internet Files folder.
VBS.Runauto
Threat Assessment
Wild
 Wild Level: Low

 Removal: Easy
Damage

 Payload: Copies itself to all drives on the compromised computer.
Distribution
Writeup By: Mircea Ciubotariu

W32.IRCBot
Discovered: July 8, 2002
Updated: October 29, 2008 6:41:54 PM
Also Known As: W32/IRCbot.worm.dll!95744 [McAfee]
Type: Trojan, Worm
Systems Affected: Windows 98, Windows 95, Windows XP, Windows Me, Windows NT, Windows 2000
W32.IRCBot is a back door Trojan horse that connects to an IRC server and awaits commands from a remote attacker, including
spreading through network shares, spam email messages, IRC channels and to other computers.
Threat Assessment
Wild
 Wild Level: Low

 Removal: Easy
Damage

 Payload: Opens a back door.
Distribution

W32.Imaut
Discovered: December 12, 2006
Updated: December 13, 2006 3:26:10 AM
Also Known As: IM-Worm.Win32.Sohanad.t [Kaspersky], W32/Sohana-R [Sophos]
Type: Worm
W32.Yautoit.N is a worm that spreads through Yahoo! Instant Messenger.
Note: Definitions before June 7, 2007 may detect this worm as W32.Yautoit.

W32.Imaut.AA
Detected As: W32.Imaut.AA
This threat is detected by the latest Virus Definitions.
All computer users should employ safe computing practices, including:
 Keeping your Virus Definitions updated.

 Installing Norton AntiVirus program updates, when available.
 Deleting suspicious looking emails.
You may also scan your PC for threats now, by using the free online Symantec Security Check.
To ensure complete protection against viruses and similar threats, please review Symantec's product offerings for
Home & Home Office, Small & Mid-Sized Business and Enterprise users.
Removal Instructions
The following instructions pertain to all current and recent Symantec antivirus products, including the Symantec
AntiVirus and Norton AntiVirus product lines.

3. Run a full system scan and delete all the files detected.
4. Submit the files to Symantec Security Response.
For specific details on each of these steps, read the following instructions.
W32.Imaut.N
Updated: December 13, 2006 3:26:10 AM
Also Known As: IM-Worm.Win32.Sohanad.t [Kaspersky], W32/Sohana-R [Sophos]
Type: Worm
W32.Yautoit.N is a worm that spreads through Yahoo! Instant Messenger.
Note: Definitions before June 7, 2007 may detect this worm as W32.Yautoit.N.

W32.Ircbrute
Updated: June 21, 2008 8:51:56 AM
Type: Worm
Infection Length: 12,506 bytes
Windows 2000
W32.Ircbrute is a worm that spreads by copying itself to removable drives. It also opens a back door on the compromised computer.

W32.Mabezat.B
Risk Level 2: Low
Updated: December 2, 2007 12:17:56 PM
Also Known As: W32/Mabezat-B [Sophos], Worm:W32/Mabezat.B [F-Secure]
Type: Worm
Infection Length: 154,751 bytes (exe), 32,768 bytes (DLL)
Windows 2000
W32.Mabezat.B is a worm that spreads through email, removable drives and network shares protected by weak passwords. It also
infects executable files and encrypts data files.
Threat Assessment
Wild
 Wild Level: Low

 Removal: Easy
Damage

 Large Scale E-mailing: Sends emails with attachments.
 Modifies Files: Encrypts files.
Distribution
 Distribution Level: High

 Subject of Email: Varies
 Name of Attachment: Varies
 Size of Attachment: Varies
 Shared Drives: Network shares protected by weak passwords and removable drives.
 Target of Infection: Executable files.
Writeup By: Elia Florio

W32.Mikbaland
Type: Worm
Windows 2000
W32.Mikbaland is a worm that copies itself to shared and removable drives. It may also download potentially malicious code on to
the compromised computer.
Threat Assessment
Wild
 Wild Level: Low

 Removal: Easy
Damage

 Payload: May also download potentially malicious code on to the compromised computer.
 Compromises Security Settings: Attempts to end processes, some of which may be security-related.
Distribution

 Target of Infection: Copies itself to shared and removable drives.
Writeup By: Shay Roe

2. Use the Security Response "Tool to reset shell\open\command registry subkeys."
W32.SillyDC
Discovered: October 4, 2006
Also Known As: Virus.Win32.Autorun.cu [Kaspersky], W32/Generic!Floppy [McAfee], Trj/TaskKill.A [Panda Software], Mal/VB-F
[Sophos], Worm/VB.BNI [AVG], TR/Agent.VB.AOA [Avira Antivir], Trojan.Agent.VB.AOA [BitDefender], Win32/Autorun.C [NOD32]
Type: Worm
W32.SillyDC is a generic detection that detects variants of the W32.Silly family of worms that spreads by copying itself to removable
media and may download other malicious applications.
Note: Symantec strongly recommends that customers take specific steps to control the execution of applications referenced in
autorun.inf files that may be located on removable and network drives. Threats such as this one frequently attempt to spread to
other computers using these avenues. Configuration changes made to a computer can limit the possibility of new threats
compromising it. For more information, see the following document:
How to prevent a virus from spreading using the "AutoRun" feature
Threat Assessment
Wild
 Wild Level: Low

 Removal: Easy
Damage
Distribution
 Submit the files to Symantec Security Response.
W32.SillyFDC
Type: Worm
W32.SillyFDC is a generic detection that detects variants of the W32.Silly family of worms that spread by copying itself to removable
media and may download other malicious applications.
Note: Symantec strongly recommends that customers take specific steps to control the execution of applications referenced in
autorun.inf files that may be located on removable and network drives. Threats such as this one frequently attempt to spread to
other computers using these avenues. Configuration changes made to a computer can limit the possibility of new threats
compromising it. For more information, see the following document:
How to prevent a virus from spreading using the "AutoRun" feature
Threat Assessment
Wild
 Wild Level: Low

 Removal: Easy
Damage

 Degrades Performance: Copying itself to various folder locations may degrade performance.
Distribution

 Target of Infection: Floppy drive.
 Delete any values added to the registry.
W32.Spybot.ATEW
Updated: August 9, 2007 6:48:47 AM
Type: Worm
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows Vista,
Windows XP
W32.Spybot.ATEW is a worm that spreads through network shares and by exploiting system vulnerabilities.
Symantec Security Response is currently investigating this threat and will post more information as it becomes available.
Threat Assessment
Wild
 Wild Level: Low

 Removal: Easy
Damage
Distribution
 Distribution Level: Medium
Writeup By: Hiroshi Shinotsuka
W32.Traxg@mm
Risk Level 2: Low
Discovered: April 26, 2004
Type: Worm
W32.Traxg@mm is a mass-mailing worm that sends itself to email addresses in the Microsoft Outlook address book.
The worm is written in Visual Basic.
Threat Assessment
Wild
 Wild Level: Low

 Removal: Easy
Damage
Distribution
 Distribution Level: High
Writeup By: Scott Gettis

3. Restart the computer in Safe mode or VGA mode.
4. Run a full system scan and delete all the files detected as W32.Traxg@mm.
5. Reverse the changes made to the registry.
6. Restore default Explorer settings. (Optional)

Backdoor - Delf: Threat Assessment

Uploaded by

Copyright:

Available Formats

Backdoor - Delf: Threat Assessment

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Backdoor - Delf: Threat Assessment

Uploaded by

Copyright:

Available Formats

Backdoor.

Updated: February 13, 2007 11:39:53 AM

Type: Trojan Horse

Systems Affected: Windows 2000, Windows NT, Windows XP

 Wild Level: Low

 Damage Level: Low

 Distribution Level: Low

Writeup By: Gor Nazaryan

Updated: May 11, 2007 3:56:24 PM

 Wild Level: Low

 Damage Level: Low

 Distribution Level: Low

Writeup By: Liam O Murchu

1. Disable System Restore (Windows Me/XP).

Updated: May 6, 2002 3:37:23 PM

Infection Length: Varies

 Wild Level: Low

 Damage Level: Medium

 Distribution Level: Low

Updated: October 13, 2009 7:48:39 AM

Also Known As: Trojan.Giframe [Symantec]

Type: Trojan, Worm

Infection Length: Varies

 Wild Level: Low

 Damage Level: Low

 Distribution Level: Low

Updated: February 13, 2007 11:50:11 AM

Type: Trojan Horse

 Wild Level: Low

 Distribution Level: Low

Writeup By: Gor Nazaryan

1. Disable System Restore (Windows Me/XP).

Type: Hack Tool

Risk Impact: Low

File Names: Hook.dll

Hacktool.Keylogger is a hacktool that logs keystrokes on the compromised computer.

The presence of one or more files detected as Hacktool.Keylogger.

This hacktool can be installed as part of a threat, such as a Trojan horse.

1. Update the virus definitions.

Updated: June 7, 2007 9:58:19 PM

Infection Length: varies

 Wild Level: Low

 Damage Level: Low

 Distribution Level: Low

Updated: March 16, 2007 7:51:32 AM

Infection Length: Varies

 Wild Level: Low

 Damage Level: Low

 Distribution Level: Low

Writeup By: Kaoru Hayashi

1. Disable System Restore (Windows Me/XP).

Updated: February 13, 2007 12:01:12 PM

CVE References: CVE-2000-1061

 Wild Level: High

 Damage Level: Low

 Distribution Level: Low

1. Update the virus definitions.

Updated: August 15, 2007 3:51:25 PM

Trojan Horse is a generic detection for various Trojan horse programs.