Malicious Software Encyclopedia: TrojanDownloader:Win32/Delf.DH
Published:
December 1, 2005
TrojanDownloader:Win32/Delf.DH is a Trojan downloader that targets Microsoft Windows. TrojanDownloader:Win32/Delf.DH then downloads TrojanDownloader:Win32/Delf.AH from a Web site to the infected computer.
Updated 12/1/2005: This Trojan is being distributed through an exploit of a vulnerability in Internet Explorer. When the user visits certain Web sites, a malicious script on those sites exploits the Internet Explorer vulnerability described in Microsoft Security Advisory 911302. The script then downloads TrojanDownloader:Win32/Delf.DH to the computer.
On This Page
Threat Overview
| Class/type | Trojan - Downloader
|
| Discovered | October 7, 2008 |
| Circulating | Yes |
| Affected operating systems | Windows NT 3.x
Windows NT 4.0
Windows 95
Windows 2000
Windows XP
Windows Server 2003
Windows ME
Windows 98
|
| Affected software |
Not specified
|
| Infection rating | Low |
| Recovery difficulty | Easy |
| Damage rating | Low |
| Transmission rating | Low |
Technical Analysis
When a user visits certain Web sites, a file named KVG.exe or keks.exe is automatically downloaded from the Web site to the user's Startup folder. This file is detected as TrojanDownloader:Win32/Delf.DH. This Trojan downloader then downloads and runs another Trojan downloader every five minutes and saves it in the Windows system folder as all.exe. This file is detected as TrojanDownloader:Win32/Delf.AH.
How to Prevent Infection
Take the following steps to help prevent infection on your system:
Consult Microsoft Security Advisory 911302.
Enable a firewall on your computer.
Get the latest computer updates.
Use up-to-date antivirus software.
Consult Microsoft Security Advisory 911302
Microsoft Security Advisory 911302 contains information about the Internet Explorer vulnerability that is exploited by malicious script on certain Web sites. For details, see the advisory at: http://www.microsoft.com/technet/security/advisory/911302.mspx
Enable a firewall on your computer
Use a third-party firewall product or turn on the Microsoft Windows XP Internet Connection Firewall.
To turn on the Internet Connection Firewall in Windows XP
Click Start, and click Control Panel.
Click Network and Internet Connections, and click Network Connections. If you do not see Network and Internet Connections, click Switch to Category View.
Highlight a connection that you want to help protect, and click Change settings of this connection.
Click Advanced, and select Protect my computer and network by limiting or preventing access to this computer from the Internet.
Click OK.
Get the latest computer updates
Updates help protect your computer from viruses, worms, and other threats as they are discovered. You can use the Automatic Updates feature in Microsoft Windows XP to automatically download future Microsoft security updates while your computer is on and connected to the Internet.
To turn on Automatic Updates in Windows XP
Click Start, and click Control Panel.
Click Performance and Maintenance. If you do not see Performance and Maintenance, click Switch to Category View.
Click System.
Click Automatic Updates, and select Keep my computer up to date.
Select a setting. Microsoft recommends selecting Automatically download the updates, and install them on the schedule that I specify and setting a regular update time.
If you choose to have Automatic Updates notify you in step 5, you will see a notification balloon when new downloads are available to install. Click the notification balloon to review and install updates.
Use up-to-date antivirus software
Most antivirus software can detect and prevent infection by known malicious software. You should always run antivirus software on your computer that is updated with the latest signature files to automatically help protect you from infection. If you don't have antivirus software installed, you can get it from one of several companies. For more information, see http://www.microsoft.com/athome/security/downloads/default.mspx
How to Tell If Your Computer Is Infected
There are no readily apparent indications that your computer is infected by TrojanDownloader:Win32/Delf.DH. However, the presence of a file named KVG.exe or keks.exe in your Startup folder may be a symptom of infection by this Trojan.
How to Recover from Infection
Automatic Recovery
To attempt to automatically remove this threat, run one of the following removal tools:
Manual RecoveryTo recover offline from infection by TrojanDownloader:Win32/Delf.DH, follow these steps:
Disconnect from the Internet.
Restart your computer in safe mode.
End the Trojan process.
Delete the Trojan file.
Remove the footprint of the malicious software all.exe that is downloaded to the Windows system folder by TrojanDownloader:Win32/Delf.DH.
Restart your computer.
Take steps to prevent re-infection.
Disconnect from the Internet
To help ensure that your computer is not actively infecting other computers, disconnect it from the Internet before proceeding. Print this Web page or save a copy on your computer; then unplug your network cable and disable your wireless connection. You can reconnect to the Internet after completing these steps.
Restart your computer in safe mode
To start your the computer in safe mode
Remove all floppy disks and CDs from your computer, and then restart your computer.
When prompted, press F8. If Windows starts without displaying the Please select the operating system to start menu, restart your computer. Press F8 after the firmware POST process completes, but before Windows displays graphical output.
From the Windows Advanced Options menu, select a safe mode option.
End the Trojan process
To end the Trojan process
Press CTRL+ALT+DEL once and click Task Manager.
Click Processes and click Image Name to sort the running processes by name.
Select process kvg.exe or keks.exe if it is in the list, and click End Process.
Delete the Trojan file
To delete the Trojan file
Click Start, and click Run.
In the Open field, type the path to the user's Startup folder, for example:
C:\Documents and Settings\<username>\Start Menu\Programs\Startup
Click OK.
Click Name to sort files by name.
If a file named kvg.exe or keks.exe is in the list, delete it.
On the Desktop, right-click the Recycle Bin and click Empty Recycle Bin.
Click Yes to confirm.
If deleting the file fails, follow these steps to verify that the corresponding process is not running:
Press CTRL+ALT+DEL once and click Task Manager.
Click Processes and click Image Name to sort the running processes by name.
Confirm that neither kvg.exe nor keks.exe is in the list.
Remove the footprint of the malicious software all.exe
TrojanDownloader:Win32/Delf.DH downloads the file all.exe to your computer. This is malicious software that is still on your computer after you recover from TrojanDownloader:Win32/Delf.DH. To complete a recovery from the actions of TrojanDownloader:Win32/Delf.DH, you must also remove the footprint created by all.exe.
Restart your computer
To restart your computer
On the Start menu, click Shut Down.
Select Restart from the drop-down list and click OK.
Take steps to prevent re-infection
Do not reconnect your computer to the Internet until the computer is protected from re-infection. See the "Preventing Infection" section for more information.
Transmission Methods
| Method | Description |
|---|
| Social Engineering | Trojan is downloaded automatically when a user visits certain Web sites. |
| Exploits Vulnerability | Downloaded when a malicious script exploits the Internet Explorer vulnerability described in Microsoft Security Advisory 911302. |
Payload Information
| Payload type | Trigger | Description |
|---|
| Creates files | User merely visits certain Web sites. | <user's Startup folder>\KVG.exe or <user's Startup folder>\keks.exe |
| Compromises Security | User merely visits certain Web sites. | Downloads other malicious software from a Web site. |
Dropped Files
| Path | <user's Startup folder>\kvg.exe or keks.exe |
| File size | 9,728 bytes
to 9,728 bytes
|
| SHA1 hash | E28AEFD6962D2283F85D8E962F2E9979BA826623 |
| Packers | UPX |
