Troj/DelCanti-B

Category:	Viruses and Spyware	Protection available since:	04 Oct 2006 00:00:00 (GMT)
Type:	Trojan	Last Updated:	04 Oct 2006 00:00:00 (GMT)
Prevalence:

Download our free Virus Removal Tool - Find and remove threats your antivirus missed

Troj/DelCanti-B is a Trojan for the Windows platform.

Troj/DelCanti-B may attempt to steal information and monitor browser habits.

When first run Troj/DelCanti-B copies itself to:

<System>\12053\data.exe
<System>\12053\lsass.exe
<System>\12053\svchost.exe

and creates the following harmless files:

\README(loren).html
<System>\oemlogo.bmp
<System>\12053\loren.jpg

Troj/DelCanti-B may also attempt to remove or update the following file:

<System>\Oeminfo.ini

Troj/DelCanti-B may attempt to remove all files from the following directories:

ESET\
antivi~1\
antivi~2\
antiviru\
avg\
kasper~1\
kasper~2\
mcafee\
mcafee.com\agent\
mcafee.com\
mcafee.com\VSO\
mcafee~1\*.
msav\
norman\
norton~1
norton~2
pav\
pccill~1\
pc-cil~1\
progra~1\ESET\
progra~1\antivi~1\
progra~1\antivi~2\
progra~1\avg\
progra~1\kasper~1
progra~1\mcafee\
progra~1\McAfee.com\agent\
progra~1\McAfee.com\
progra~1\McAfee.com\VSO\
progra~1\mcafee~1
progra~1\mindso~1
progra~1\norman\
progra~1\norton~1
progra~1\norton~2
progra~1\pandas~1
progra~1\Alwils~1

Troj/DelCanti-B may set the following registry entry to a random string of Indonesian text:

SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
LegalNoticeCaption
<random Indonesian text>

and modify the following registry entries:

SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Winup
<Windows>\system32\12053\svchost.exe /register

SOFTWARE\Microsoft\Windows\CurrentVersion\Run
RsWin
<Windows>\system32\12053\lsass.exe /register

HKLM\SYSTEM\ControlSet001\Control\SafeBoot
AlternateShell
<Windows>\system32\12053\svchost.exe

HKLM\SYSTEM\ControlSet002\Control\SafeBoot
AlternateShell
<Windows>\system32\12053\svchost.exe

HKLM\SYSTEM\ControlSet003\Control\SafeBoot
AlternateShell
<Windows>\system32\12053\svchost.exe

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot
AlternateShell
<Windows>\system32\12053\svchost.exe

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
System
<Windows>\system32\12053\svchost.exe

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
load
<Windows>\system32\12053\svchost.exe

HKLM\<SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Userinit
<Windows>\system32\userinit.exe, <Windows>\system32\12053\svchost.exe

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell
Explorer.exe <Windows>\system32\12053\svchost.exe

HKCU\Software\Microsoft\Internet Explorer\Main
Start Page
loren.jpg

Try Sophos products for free
Download now

Security Goals

INDUSTRIES & SECTORS

COMPANY SIZE

PRODUCT FEATURES

CASE STUDIES

Company Overview

Our People

INNOVATIVE TECHNOLOGY

ALERT SERVICES

Product Features

Product Families

Complete Security

PRODUCTS BY NAME

Free Tools

Next Steps

RESOURCES

FIND AN ANSWER

Support by Product

Maintain your Product

Hire an Expert

WHAT'S POPULAR

THREAT ANALYSIS

THREAT STATISTICS

WHAT'S POPULAR

Threat Definitions

THREAT MONITORING

SECURITY HUBS

LIBRARY

Whats Popular

WHAT'S NEW

Community

IT SECURITY TRAINING

ANATOMY OF AN ATTACK

RESELLER PARTNERS

Managed Service Providers

SYSTEM INTEGRATORS

OEM and Technology

WHAT'S POPULAR

Troj/DelCanti-B

Free Mac Anti-Virus

Popular topics