Systweak Spyware Library
Systweak Spyware Library text
More than 1309737 spyware signatures and growing
Microsoft Gold Certified Partner
Search in:
Worm-IRC.delf.o Analysis Report
Threat Submitted On: 3/9/2008 7:41:34 PM
Threat Analysed On: 3/10/2008 12:41:34 AM
Threat Updated On: 11/15/2009 9:24:38 PM
Type : Worm-IRC
Symptoms of delf.o
  • Spreads through Internet Relay Chat
  • Sends malware to the contacts of the infected user.
Information
Alias : irc-worm.win32.delf.o
Md5 Hash : [5ea4fca55468d0d8221e37d8833cef6e]
File Size : [Not Available]

Here are the Technical findings of our analysis team after analyzing this malware in detail :-

Creates the following infected Files on user's System
Note:
Delete the following Files to remove Infection
File: 36osafe.exe
Path : %systemdrive%
Skip Navigation Links.
Collapse Md5Hash :Md5Hash :
42e8078727b69e5651a70f0362a8da0d ( 76292 bytes)
5ea4fca55468d0d8221e37d8833cef6e ( 76292 bytes)
92451cb7ecc444ad25f08b7f56ddefaa ( 76290 bytes)
a69ccd597b4ab3b6d11bbee0e3f00e55 ( 76293 bytes)
File: ~dsniu!.bat
Path : %temp%
Md5Hash :76efebc7ed691a5173ee17d41bfff262 ( bytes)
File: ~loveu!.bat
Path : %temp%
Skip Navigation Links.
Collapse Md5Hash :Md5Hash :
9bcf2975b4b9547f9630e821dece267c ( bytes)
a35387b52f899026a672f73db74217c0 ( bytes)
cc53a757da77225998565c3b74d36c3b ( bytes)
ceb73dcc1b23365bb725e857a41b4339 ( bytes)
File: footer[1].htm
Path : %userprofile%\local settings\temporary internet files\content.ie5\g5ynop2f
Md5Hash :1781745bb9fd75ce75d42bde8835ed27 ( 1490 bytes)
File: footer[2].htm
Path : %userprofile%\local settings\temporary internet files\content.ie5\g5ynop2f
Md5Hash :641a908faf5b4e6e81da98e802138792 ( 1508 bytes)
File: header[1].htm
Path : %userprofile%\local settings\temporary internet files\content.ie5\g5ynop2f
Md5Hash :5b06e13e74a9d95c1c7de7def6273409 ( 2088 bytes)
File: header[1].htm
Path : %userprofile%\local settings\temporary internet files\content.ie5\wpqrglij
Md5Hash :1c4b5175470b0146e1972f26348a4392 ( 2018 bytes)
File: signup[1].htm
Path : %userprofile%\local settings\temporary internet files\content.ie5\wxqn0dmj
Md5Hash :17ba22e6127a5dcb3d04ee144104141e ( 1550 bytes)
File: signup[2].htm
Path : %userprofile%\local settings\temporary internet files\content.ie5\wxqn0dmj
Md5Hash :c1a5976a21e8f9aa9a56d47a989e3d42 ( 1585 bytes)
File: 36osafe.exe
Path : %windir%\system32
Skip Navigation Links.
Collapse Md5Hash :Md5Hash :
42e8078727b69e5651a70f0362a8da0d ( 76292 bytes)
5ea4fca55468d0d8221e37d8833cef6e ( 76292 bytes)
92451cb7ecc444ad25f08b7f56ddefaa ( 76290 bytes)
a69ccd597b4ab3b6d11bbee0e3f00e55 ( 76293 bytes)
File: shuiniu.exe
Path : %windir%\system32
Md5Hash :b3e1aef7abdabdc8fee9f9fe98c43c21 ( 29914 bytes)
File: [randomname].exe
Path : %workingdir%
Skip Navigation Links.
Collapse Md5Hash :Md5Hash :
05e2492b5c1ce81b87042b37e8d479a9 ( 76290 bytes)
18938805560a48e5cc268710e1b55296 ( 76292 bytes)
42e8078727b69e5651a70f0362a8da0d ( bytes)
4abe8a5e4b5dbcb13d41ba2e6185d9e7 ( 76288 bytes)
597c36ac7ec3bf003369b8bde236569a ( 29913 bytes)
5ea4fca55468d0d8221e37d8833cef6e ( bytes)
6be00c84a0a1f9602631022e0dc550d8 ( 76293 bytes)
6be565eaaf3dbcc2e20c49b8cc623728 ( 171520 bytes)
8142a7fee641c07cf6684cdb852e0767 ( 76290 bytes)
92451cb7ecc444ad25f08b7f56ddefaa ( bytes)
a69ccd597b4ab3b6d11bbee0e3f00e55 ( bytes)
b3e1aef7abdabdc8fee9f9fe98c43c21 ( bytes)
b9654666b42a3687e2a5b801de25f273 ( 76290 bytes)
c1fb58eff41299eab5cfead683499cfc ( 76290 bytes)
Also creates the following files on user's System which are also created by Genuine Software :-
Note:
These file(s) can be kept as they are also created by genuine Software.
File : blank.htm
Path : %programfiles%\common files\microsoft shared\stationery
Md5Hash :b9551cc12ab829012f2065d878f1c42f ( 481 bytes)
File : citrus punch.htm
Path : %programfiles%\common files\microsoft shared\stationery
Md5Hash :64eae361a32eee19b85219f5bec240e3 ( 472 bytes)
File : clear day.htm
Path : %programfiles%\common files\microsoft shared\stationery
Md5Hash :768304bee1707fcb62f8392f7d457eae ( 345 bytes)
File : fiesta.htm
Path : %programfiles%\common files\microsoft shared\stationery
Md5Hash :e51e9245a552fe35a8861ea0d3868223 ( 388 bytes)
File : glacier.htm
Path : %programfiles%\common files\microsoft shared\stationery
Md5Hash :d315c1bc307c9bd508861c2228e813ec ( 341 bytes)
File : ivy.htm
Path : %programfiles%\common files\microsoft shared\stationery
Md5Hash :44f71d0fe2a4d8e432ad2b8c0e5fd0be ( 436 bytes)
File : leaves.htm
Path : %programfiles%\common files\microsoft shared\stationery
Md5Hash :e5b9de50137298430d42e308f2075df8 ( 437 bytes)
File : maize.htm
Path : %programfiles%\common files\microsoft shared\stationery
Md5Hash :bb2bd7b498a86fa4082feb2b08f9cd69 ( 435 bytes)
File : nature.htm
Path : %programfiles%\common files\microsoft shared\stationery
Md5Hash :33dff451a49f03269d9eaf8fc321253e ( 467 bytes)
File : network blitz.htm
Path : %programfiles%\common files\microsoft shared\stationery
Md5Hash :872c56c17f4e5f79b499657444101876 ( 476 bytes)
File : pie charts.htm
Path : %programfiles%\common files\microsoft shared\stationery
Md5Hash :a4f5e7cee5af5c84edf4890aa5f8da21 ( 359 bytes)
File : sunflower.htm
Path : %programfiles%\common files\microsoft shared\stationery
Md5Hash :03f93a3b1ce77ba811942d3a219b233e ( 471 bytes)
File : sweets.htm
Path : %programfiles%\common files\microsoft shared\stationery
Md5Hash :205943398d0a62175c5596a28a95f18d ( 430 bytes)
File : technical.htm
Path : %programfiles%\common files\microsoft shared\stationery
Md5Hash :c6bce59a052ef31ed6d868294ebbd57d ( 480 bytes)
File : mdacreadme.htm
Path : %programfiles%\common files\system\ado
Md5Hash :4d235f9afa1573bd1986db499848df30 ( 612 bytes)
File : netmeet.htm
Path : %programfiles%\netmeeting
Md5Hash :4a1a5f41e5309a903ac198164a08e606 ( 29186 bytes)
File : autorun.inf
Path : %systemdrive%
Md5Hash :b6b807743a49dd0836ba25fba61a765d ( 169 bytes)
Creates the following infected Registry Keys on user's System
Note:
Delete these Registries to remove Infection
The following Registry Values are added to the provided Registry Keys :-
Note:
Delete the added Values from the Key to remove Infection
|__ Value Added :
shell32 = "%windir%\system32\36osafe.exe"
|__ Value Added :
start page = "http://www.18dos.com/"
|__ Value Added :
dsniu = "%windir%\system32\shuiniu.exe"
|__ Value Added :
shell32 = "%windir%\system32\36osafe.exe"
|__ Value Added :
debugger = "%windir%\system32\36osafe.exe"
|__ Value Added :
debugger = "%windir%\system32\36osafe.exe"
|__ Value Added :
debugger = "%windir%\system32\36osafe.exe"
|__ Value Added :
debugger = "%windir%\system32\36osafe.exe"
|__ Value Added :
debugger = "%windir%\system32\36osafe.exe"
|__ Value Added :
debugger = "%windir%\system32\36osafe.exe"
|__ Value Added :
debugger = "%windir%\system32\36osafe.exe"
|__ Value Added :
debugger = "%windir%\system32\36osafe.exe"
|__ Value Added :
debugger = "%windir%\system32\36osafe.exe"
|__ Value Added :
debugger = "%windir%\system32\36osafe.exe"
|__ Value Added :
debugger = "%windir%\system32\36osafe.exe"
|__ Value Added :
debugger = "%windir%\system32\36osafe.exe"
|__ Value Added :
debugger = "%windir%\system32\36osafe.exe"
|__ Value Added :
debugger = "%windir%\system32\36osafe.exe"
|__ Value Added :
debugger = "%windir%\system32\36osafe.exe"
|__ Value Added :
debugger = "%windir%\system32\36osafe.exe"
|__ Value Added :
debugger = "%windir%\system32\36osafe.exe"
|__ Value Added :
debugger = "%windir%\system32\36osafe.exe"
|__ Value Added :
debugger = "%windir%\system32\36osafe.exe"
|__ Value Added :
debugger = "%windir%\system32\36osafe.exe"
|__ Value Added :
debugger = "%windir%\system32\36osafe.exe"
|__ Value Added :
debugger = "%windir%\system32\36osafe.exe"
|__ Value Added :
debugger = "%windir%\system32\36osafe.exe"
|__ Value Added :
debugger = "%windir%\system32\36osafe.exe"
|__ Value Added :
debugger = "%windir%\system32\36osafe.exe"
|__ Value Added :
debugger = "%windir%\system32\36osafe.exe"
|__ Value Added :
debugger = "%windir%\system32\36osafe.exe"
|__ Value Added :
debugger = "%windir%\system32\36osafe.exe"
|__ Value Added :
debugger = "%windir%\system32\36osafe.exe"
|__ Value Added :
debugger = "%windir%\system32\36osafe.exe"
|__ Value Added :
debugger = "%windir%\system32\36osafe.exe"
|__ Value Added :
debugger = "%windir%\system32\36osafe.exe"
|__ Value Added :
debugger = "%windir%\system32\36osafe.exe"
|__ Value Added :
debugger = "%windir%\system32\36osafe.exe"
|__ Value Added :
debugger = "%windir%\system32\36osafe.exe"
|__ Value Added :
debugger = "%windir%\system32\36osafe.exe"
|__ Value Added :
debugger = "%windir%\system32\36osafe.exe"
|__ Value Added :
debugger = "%windir%\system32\36osafe.exe"
|__ Value Added :
debugger = "%windir%\system32\36osafe.exe"
|__ Value Added :
debugger = "%windir%\system32\36osafe.exe"
|__ Value Added :
debugger = "%windir%\system32\36osafe.exe"
|__ Value Added :
debugger = "%windir%\system32\36osafe.exe"
|__ Value Added :
debugger = "%windir%\system32\36osafe.exe"
|__ Value Added :
debugger = "%windir%\system32\36osafe.exe"
|__ Value Added :
debugger = "%windir%\system32\36osafe.exe"
|__ Value Added :
debugger = "%windir%\system32\36osafe.exe"
|__ Value Added :
debugger = "%windir%\system32\36osafe.exe"
|__ Value Added :
debugger = "%windir%\system32\36osafe.exe"
|__ Value Added :
debugger = "%windir%\system32\36osafe.exe"
|__ Value Added :
debugger = "%windir%\system32\36osafe.exe"
|__ Value Added :
debugger = "%windir%\system32\36osafe.exe"
|__ Value Added :
debugger = "%windir%\system32\36osafe.exe"
|__ Value Added :
debugger = "%windir%\system32\36osafe.exe"
|__ Value Added :
debugger = "%windir%\system32\36osafe.exe"
|__ Value Added :
debugger = "%windir%\system32\36osafe.exe"
|__ Value Added :
debugger = "%windir%\system32\36osafe.exe"
|__ Value Added :
debugger = "%windir%\system32\36osafe.exe"
|__ Value Added :
debugger = "%windir%\system32\36osafe.exe"
|__ Value Added :
debugger = "%windir%\system32\36osafe.exe"
|__ Value Added :
debugger = "%windir%\system32\36osafe.exe"
|__ Value Added :
debugger = "%windir%\system32\36osafe.exe"
|__ Value Added :
debugger = "%windir%\system32\36osafe.exe"
|__ Value Added :
debugger = "%windir%\system32\36osafe.exe"
|__ Value Added :
debugger = "%windir%\system32\36osafe.exe"
|__ Value Added :
debugger = "%windir%\system32\36osafe.exe"
|__ Value Added :
debugger = "%windir%\system32\36osafe.exe"
|__ Value Added :
debugger = "%windir%\system32\36osafe.exe"
|__ Value Added :
debugger = "%windir%\system32\36osafe.exe"
|__ Value Added :
debugger = "%windir%\system32\36osafe.exe"
|__ Value Added :
debugger = "%windir%\system32\36osafe.exe"
|__ Value Added :
debugger = "%windir%\system32\36osafe.exe"
|__ Value Added :
debugger = "%windir%\system32\36osafe.exe"
|__ Value Added :
debugger = "%windir%\system32\36osafe.exe"
|__ Value Added :
debugger = "%windir%\system32\36osafe.exe"