Resolve is the name for a set of small, downloadable Sophos utilities designed to remove and undo the changes made by certain viruses, Trojans and worms. They terminate any virus processes and reset any registry keys that the virus changed. Existing infections can be cleaned up quickly and easily, both on individual workstations and over networks with large numbers of computers.
Troj/Delf-ALI is a worm and IRC backdoor Trojan for the Windows platform.
Troj/Delf-ALI spreads to other network computers by exploiting common buffer overflow vulnerabilities, including RPC-DCOM (MS04-012).
Troj/Delf-ALI runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.
Troj/Delf-ALI includes functionality to access the internet and communicate with a remote server via HTTP.
When Troj/Delf-ALI is installed it creates the clean text file msguid32.dll.
The following registry entry is created to run Troj/Delf-ALI on startup:
HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun
Microsoft IIS
Troj/Delf-ALI attempts to log details from banking applications related to the following sites:
www.halifax-online.co.uk
ibank.barclays.co.uk
online.lloydstsb.co.uk
online-business.lloydstsb.co.uk
www.ukpersonal.hsbc.co.uk
banesnet.banesto.es
extranet.banesto.es
ebanking.bccbrescia.it
www.bankofscotlandhalifax-online.co.uk
oi.cajamadrid.es
bancae.caixapenedes.com
banking.postbank.de
meine.deutsche-bank.de
myonlineaccounts2.abbeynational.co.uk
ibank.cahoot.com
webbank.openplan.co.uk
bancopostaonline.poste.it
mybank.bybank.it
ibank.internationalbanking.barclays.com
welcome7.co-operativebank.co.uk
welcome11.co-operativebankonline.co.uk
Troj/Delf-ALI modifies the HOSTS file in order to redirect access to the above sites.
Troj/Delf-ALI stores logged information to the following clean text files in the Windows system folder:
abbey.dll
bane.dll
bankofscot.dll
barc.dll
barc3.dll
bccbrescia.dll
bybank.dll
cahoot.dll
caixapenedes.dll
cajamadrid.dll
coo11.dll
coo7.dll
deutchebank.dll
halif.dll
hsbc.dll
lloy.dll
posta.dll
postbank.dll
wool.dll
Troj/Delf-ALI can be removed from Windows computers automatically with the following Resolve tools:
Windows disinfector
DELFAGUI is a disinfector for standalone Windows computers. To use it you have to do the following:
· Open DELFAGUI.com file from your desktop after downloading it.
· Click on the Start Scan Button.
· Wait for the process to complete.
· After removing the worm you should install the Microsoft patch MS04-012 or, on single computers, update with all relevant security patches from Windows update.
Command line disinfector
DELFASFX.EXE is a self-extracting archive containing DELFACLI, a Resolve command line disinfector for use by system administrators on Windows networks.
Find us on Google+
