Cart
Trojan.Dropper.Delf.BAS
SYMPTOMS: Presence of more than one instance of an executable that does different things.TECHNICAL DESCRIPTION: This file usually comes bundled with other types of malware. The file analyzed came with Backdoor.Agent.ZHQ. When executed the dropper first resolves its imports and after that checks to see if it is being ran by a virus analyst. It checks to see if the value HKCU\Control Pane\SwapMouseButtons is set, it checks for the existence of the folder Parallels tools in C:\Program Files\Parallels, checks to see if the file name is file.exe or sample.exe and finally checks to see if it can obtain an handle to SpieDll.dll. If none of the condition was fulfilled, it goes on decrypting the executable files from its resource section.For each decompressed file it creates a suspended process and overwrites the image of the process with the file which it just decompressed. It then resumes the process. Removal instructions: Please let BitDefender disinfect your files.ANALYZED BY: Mihai Razvan Benchea, virus researcher |