Threat Encyclopedia

Home > Threat Center > Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

0-9
A
B
C
D
E
F
G
H
I
J
K
L
M
N

O
P
Q
R
S
T
U
V
W
X
Y
Z
Glossary

Win32/Spy.Delf.OKH

Aliases:	W32/Banload.E.gen!Eldorado (F-Prot), Trojan.PWS.Banker.origin (Dr. Web)
Type of infiltration:	Trojan
Size:	389120 B
Affected platforms:	Microsoft Windows
Signature database version:	5371 (20100816)

Short description

Win32/Spy.Delf.OKH is a trojan that steals sensitive information. The trojan can send the information to a remote machine.

Installation

When executed, the trojan creates the following files:

C:WINDOWSsystem32prikas.bat
C:WINDOWSsystem32heslo.bat
C:WINDOWSsystem32formatd.bat
C:WINDOWSsystem32format.bat

The trojan creates the following folders:

C:WINDOWSsystem32pistoj

The following file is dropped into the C:WINDOWSsystem32pistoj folder:

nazov.txt

It downloads the other part of the infiltration.

The file is stored in the following location:

C:WINDOWSsystem32pistojfrajerka.exe

In order to be executed on every system start, the trojan sets the following Registry entry:

[HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersion
Run]
"frajerka" = "C:WINDOWSsystem32pistojfrajerka.exe"

Other information

The trojan connects to the following addresses:

http://www.hackeri.tym.sk

It tries to download several files from the address.

The files are saved into the following folder:

C:WINDOWSsystem32pistoj

The following filenames are used:

formatd.txt
format.txt
spusti.txt
frajerka.exe

The trojan may set the following Registry entries:

[HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersion
Run]
"heslo" = "C:WINDOWSsystem32heslo.bat"
"ImagePath" = "%homedrive%WINDOWSsystem_32.bat"
"formatd" = "C:WINDOWSsystem32formatd.bat"
"format" = "C:WINDOWSsystem32format.bat"

The trojan may create the following files:

%homedrive%WINDOWSy.reg
%homedrive%WINDOWSsystem_32.bat

The trojan may delete files stored in the following folders:

D:
%homedrive%

Logon passwords of some users may be changed to the following:

mojkar

The trojan collects the following information:

computer name

The trojan sends the information via e-mail. The trojan contains a list of (1) addresses.

Quick Links: Store | Renew | Activate Software | Free Trial | Online Scanner | ESET vs. Competition | Press Center | Blog | Threat Center | Support

All Products:

Cart About ESET Partners United States and Canada

US

Visit ESET on Facebook

Visit ESET on Google+

Follow ESET on Twitter

ESET YouTube Channel

Subscribe to ESET RSS feeds

© 2012 ESET North America. All rights reserved. Trademarks used herein are trademarks or registered trademarks of ESET spol. s r.o. or ESET North America.
All other names and brands are registered trademarks of their respective companies.