Analysis of a Win32.Delf VariantApril 4, 2008 – 12:35 PM
We have been noticing quite a few malware samples having references to or communicating with Google’s SMTP servers. This post dissects one of these samples and in the process attempts to illustrate to the reader some reversing techniques and information gathering techniques, while explaining the behavior and impact of this virus. At the end of this post you will discover the reasoning for this SMTP reference and see a rather revealing screenshot showing its purpose.
The first step we took was to verify whether the executable was compressed or protected. Loading this executable in PEiD resulted in “Borland Delphi 6.0 – 7.0”. Unless the signature was faked (explanation here), we can go straight to analysis. One of the great things about a Delphi application is that it can be decompiled and analyzed statically. You can use either DeDe by DaFixer[TMG] or DE Decompiler by GPcH. Because DeDe is typically used, we chose DE Decompiler for experimental purposes. If you open the malware in DE Decompiler, you see the following: