How to Respond to Trojan.Dropper.Delf.VP

Fellow BD users:

BD has identified some files in C:\Windows\temp as being infected with Trojan.Dropper.Delf.VP. I can find no info on the Internet about this subvariant of Trojan.Dropper.Delf. When I try to delete the infected files I get the Windows error message "Cannot read from the source file or disk." I have to boot into a different Windows XP installation to delete the files. The filenames, which have no extension, begin with the string "msl-" that is followed by a three-, four- or five digit numerical string, that is itself followed by another dash and another numeral, thusly: "msl-2164-2." The files are created in sequence (the last digits increment by one, as in msl-2164-2, msl-2164-3, etc.) whenever I run that installation of Windows.

No other program (Norton, AdAware, Spybot, Spy Sweeper, etc.) reports these files as being infected with this trojan during a scan, and no scanner (including BD's AV and Malware scanners) sees the malware that is generating these files.. What am I looking at here, and how do I repair this system?

TIA for any help you can provide.

Find more posts tagged with

Comments

alexcrist

Hi pc2services,

You can use Filemon to "see" who/when accesses a file ( http://www.microsoft.com/technet/sysintern...sk/Filemon.mspx ). It doesn't need any installation. Justr extract the Filemon files in an empty folder and run filemon.exe. When you open it, create the filter msl-* and then Filemon will show you what application(s) access those files.

When you find that application, put it in a zip file protected by the password infected and upload it in your next post so the BD Virus researchers can take a look at it.

Also, attach one of those msl files (also archived and protected by the password infected) because it just might be a false positive.

Cris.

pc2services

Hi pc2services,

[snip]

Also, attach one of those msl files (also archived and protected by the password infected) because it just might be a false positive.

Cris.

The sample file is attached in a .RAR archive; "infected" is the password.

/applications/core/interface/file/attachment.php?id=96" data-fileid="96" rel="">msl_2944_2.rar

msl_2944_2.rar

alexcrist

Hi pc2services,

Now you just have to wait until one of the Virus Researchers check this file and post the answer. I do not work for BD, so I can't do anything about this.

What about the application that is creating these msl files? Have you tried Filemon to find out who is responsible for this?

Cris.

vlad

It was a false alarm; it will go away in a couple of hours. Thanks for reporting it!

pc2services

Hi pc2services,

What about the application that is creating these msl files? Have you tried Filemon to find out who is responsible for this?

Cris.

Well, the filemon log only shows one app writing the msl files to the HD: "AppSvc32.exe:1924"

The filesize is always 466K. After a while they add up. I don't understand the purpose of the files or why I cannot delete them without exiting that Windows installation and booting in to another one. I don't recall seeing these files in any other Windows folder before this. Does anybody know what these files are?

pc2services

It was a false alarm; it will go away in a couple of hours. Thanks for reporting it!

I guess the attached file isn't connected to this situation, then, but please examine it for possible identification. It was executed on the Windows machine and then immediately deleted itself. On the next boot the Windows installation was badly corrupted. I deleted the partition, recreated it and reformatted before reinstalling XP. It is the new XP install that is showing the "msl-" files being created, by the way. Any info you can provide regarding the attached file, "Malware.exe," contained in the .RAR archive (password is "infected") will be much appreciated.

/applications/core/interface/file/attachment.php?id=97" data-fileid="97" rel="">Malware.rar

Malware.rar

vlad

It is indeed malware; it's a backdoor. Detection has been added.

Google says AppSvc32.exe is a process belonging to Norton AntiVirus (note that if you have more than one antivirus installed, you are likely to experience problems). If it actually belongs to Norton, I can only imagine those are temporary files it uses during scanning and for some reason fails to delete. If it isn't NAV, please upload the file for analysis.

Niels

You can run this removal tool: http://www.softpedia.com/get/Tweak/Uninsta...oval-Tool.shtml to remove everything of Norton. When you use the normal procedure then there still will be many files left.

Regards

Niels