Win32/Delf

#20288 by thisisu
Tue Jul 30, 2013 6:14 pm

https://www.virustotal.com/en/file/279f ... 375206619/

HKCU\Software\Microsoft\Windows\CurrentVersion\Run				11/3/2000 6:54 PM
voipsoft			c:\windows\system32\hkicmd.exe	5/4/2011 9:01 AM

https://secure2.sophos.com/en-us/threat ... lysis.aspx

Sophos mentioned Brazilian spam messages. I noticed some Brazilian domains in the hosts file. I think they may be part of the trojan as well.

Hosts file:

Code: Select all

194.168.33.110  atletico
11.11.1.98 america
12.44.11.1 flamengo
110.200.1.4 palmeras
98.12.32.31 corithians
112.168.252.10 botafogo
19.23.11.30 vasco
18.12.34.42 cruzeiro


211.227.233.242 www.banespa.com.br # GbPluguin
211.227.233.242 banespa.com.br # GbPluguin
211.227.233.242 www.santander.com.br # GbPluguin
211.227.233.242 santander.com.br # GbPluguin
216.250.215.158 caixa.com.br # GbPluguin
216.250.215.158 www.cef.gov.br # GbPluguin
216.250.215.158 cef.gov.br # GbPluguin
216.250.215.158 www.cef.com.br # GbPluguin
216.250.215.158 www.caixa.gov.br # GbPluguin
216.250.215.158 caixa.gov.br # GbPluguin
216.250.215.158 www.caixa.com.br # GbPluguin
203.135.164.79 live.com  # GbPluguin
203.135.164.79 www.live.com  # GbPluguin
203.135.164.79 www.msn.com  # GbPluguin
216.250.215.158 cef.com.br # GbPluguin
216.250.215.158 internetbanking.caixa.gov.br # GbPluguin
216.250.215.158 internetbanking.caixa.com.br # GbPluguin
216.250.215.158 internetbanking.cef.gov.br # GbPluguin




216.250.215.158 internetbanking.cef.com.br # GbPluguin
211.227.233.242 www.e-gold.com.br # GbPluguin
211.227.233.242 e-gold.com.br # GbPluguin
211.227.233.242 www.e-gold.com # GbPluguin
211.227.233.242 e-gold.com # GbPluguin
216.250.215.158 www.bradescoprime.com.br  # GbPluguin
216.250.215.158 www.cetelem.com.br # GbPluguin
216.250.215.158 cetelem.com.br # GbPluguin
216.250.215.158 www.cartaoaura.com.br # GbPluguin
203.135.164.79 msn.com  # GbPluguin
203.135.164.79 www.msn.com.br  # GbPluguin
203.135.164.79 login.live.com  # GbPluguin
216.250.215.158 cartaoaura.com.br # GbPluguin
216.250.215.158 bradescoprime.com.br # GbPluguin
216.250.215.158 www.itaupersonnalite.com.br  # GbPluguin
216.250.215.158 itaupersonnalite.com.br # GbPluguin
211.227.233.242 americanexpress.com.br  # GbPluguin
211.227.233.242 www.sicredi.com.br # GbPluguin
216.250.215.158 sicredi.com.br # GbPluguin
216.250.215.158 portal.sicredi.com.br # GbPluguin
211.227.233.242 www.realsecureweb.com.br # GbPluguin
211.227.233.242 realsecureweb.com.br # GbPluguin
203.135.164.79 www.hotmail.com  # GbPluguin
203.135.164.79 hotmail.com  # GbPluguin
211.227.233.242 www.americanexpress.com.br # GbPluguin
211.227.233.242 www.americanexpress.com # GbPluguin
211.227.233.242 www.real.com.br # GbPluguin
211.227.233.242 www.bancoreal.com.br # GbPluguin
211.227.233.242 real.com.br # GbPluguin
211.227.233.242 bancoreal.com.br # GbPluguin
203.135.164.79 www.hotmail.com.br  # GbPluguin
203.135.164.79 hotmail.com.br  # GbPluguin
216.250.215.158 itau.com.br # GbPluguin
216.250.215.158 www.itau.com # GbPluguin
216.250.215.158 itau.com # GbPluguin
211.227.233.242 imagem.caixa.gov.br # GbPluguin
211.227.233.242 imagem.caixa.com.br # GbPluguin
211.227.233.242 imagem.cef.gov.br # GbPluguin
211.227.233.242 imagem.cef.com.br # GbPluguin
216.250.215.158 www.bradesco.com.br # GbPluguin
216.250.215.158 bradesco.com.br # GbPluguin
216.250.215.158 www.bradesco.com # GbPluguin
216.250.215.158 bradesco.com # GbPluguin
216.250.215.158 www.itau.com.br # GbPluguin
211.227.233.242 www.realsecureweb.com.br # GbPluguin
211.227.233.242 wws.realsecureweb.com.br # GbPluguin
211.227.233.242 wwws.realsecureweb.com.br # GbPluguin
211.227.233.242 realsecureweb.com.br # GbPluguin
211.227.233.242 realveringsize.com.br # GbPluguin


191.168.33.110  internacional
12.11.1.98 gremio
12.44.11.1 pontepreta
120.200.1.4 sao.paulo

Attachments

Desktop.zip

pass: infected
(977.14 KiB) Downloaded 55 times

shacrypt.zip

pass: infected
(600.34 KiB) Downloaded 50 times

hkicmd.zip

pass: infected
(375.49 KiB) Downloaded 48 times

Username

thisisu

Posts

362

Joined

Sun Feb 26, 2012 8:57 am

Contact