Follow:

 

VirTool:Win32/DelfInject


Microsoft security software detects and removes this threat.

This threat can download and run files on your PC.



What to do now

The following Microsoft security software detects and removes this threat:

Even if we've already detected and removed this particular threat, running a full scan might find other malware that is hiding on your PC.

Threat behavior

Installation

VirTool:Win32/DelfInject drops itself using a random file name (such as "xpxnqdv.exe") in the %APPDATA%\Microsoft\Windows folder.

It modifies the following registry entry so that it runs each time you start your PC:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "<random value>" (for example, "B5XWlRZ5/ql2chDjTA")
WIth data: "%AppData%\microsoft\windows\xpxnqdv.exe"

It then runs the legitimate file "<system folder>\rundll32.exe" and injects a thread into it to delete its originally running EXE file.

Before it runs, VirTool:Win32/DelfInject checks your PC for certain security software. If any are found, it stops running.

Payload

Downloads files

VirTool:Win32/DelfInject injects code into "svchost.exe" so it can connect to certain servers and download files. One of the servers that it is known to connect to is "cate<removed>ksys.info".

At the time of this analysis the files are not available for download.

Analysis by Mihai Calota


Symptoms

Alerts from your security software may be the only symptom.


Prevention


Alert level: Severe
First detected by definition: 1.45.287.0
Latest detected by definition: 1.183.2523.0 and higher
First detected on: Oct 07, 2008
This entry was first published on: Nov 02, 2007
This entry was updated on: Oct 07, 2013

This threat is also detected as:
  • Trojan.DR.Injector!8ocyJC5SGmA (VirusBuster)
  • Trojan.DownLoader5.12990 (Dr.Web)
  • Win32/Delf.ODS trojan (ESET)
  • Virus.Win32.DelfInject (Ikarus)
  • Trojan-Dropper.Win32.Injector.uzb (Kaspersky)