What happens a trojan runs; when the deloder worm is started, it launches "\winnt\fonts\explorer.exe", which is, in reality, just a VNC server. It opens TCP port 5800 and 5900 and starts listening for VNC requests. If a VNC client requests a connection to the honeypot, and provides the right password, the remote user of the VNC client can remotely control the honeypot or simply spy on every single keystroke and mouse move there. When this worm/Trojan runs, it attempts to remove the following network shares:
ADMIN$
IPC$
C$
D$
E$
F$
This worm/Trojan attempts a connection to many different IRC Servers. As there is no available internet connection to or from the honeypot, no valid connection could be made. Because of the age of the deloder.a trojan, all of the IRC server connections is it programmed to try and connect to have been rectified. During its most active period, there could have been up to 18,000 IRC connections from this one installed instance of the trojan. Due to the lack of an internet connection on the honeypot or the server, the honeypot would simply suffer the infection and the Trojan would simply sit there, repeatedly trying to contact the IRC servers to report home and/or receive additional files or commands. The activity caused by the Trojan consumes approximately 20% of available CPU time, causing a noticeable slowdown on the affected machine. The end result is that your system can be easily monitored or even controlled by anyone who knows your IP address and the password for the VNC server. Deloder.a doesn't harm your system as such, but it lays your system open for whatever abuse the controller of the trojan chooses to push down to your system. He/she can whatever they feel like to your system |
