Threat behavior
TrojanDownloader:BAT/Delf.MP is a batch script and trojan component that attempts to disable certain security components and execute other malware.
Installation
This trojan may arrive embedded within a self-extracting archive or software package; the archive contains the following files:
- MlhrPltnd.batbat - detected as TrojanDownloader:BAT/Delf.MP
- MlhrPltnd.exe - detected as TrojanDownloader:Win32/Delf.MP
- MlhrPltnd.pps
The file names mentioned above are variable, and may differ according to distributions of this trojan.
When run, the self-extracting archive drops the above mentioned files and executes the batch script.
Payload
Disables certain security components
The batch script trojan checks for the presence of the security application AVG, and disables it if found by renaming the application’s main components:
- "avgupd.exe" is renamed to "avgklle.jar"
- "avgupd.dll" is renamed to "avgklld.jar"
In the wild, we have observed TrojanDownloader:BAT/Delf.MP running the trojan component "MlhrPltnd.exe" and then opening a PowerPoint slide show "MlhrPltnd.pps".
Additional information
Analysis by Michael Johnson
Prevention
