New Trojan attacking popular European Social Networking site (January 25, 2013)


Dell SonicWALL Threats Research team received reports of a new Trojan that has been targetting VK (originally VKontakte). VK is a reputed European social networking service which has features similar to Facebook and has been growing in popularity, it has around 195 milllion accounts with an average 43 million daily users as of December 2012. The Trojan checks if the victim is part of the VK network and starts uploading pictures on on the victims behalf. Additionally the Trojan downloads files from and stores them locally. The trojan comes equipped with capabilities to accept and execute commands from a remote Command and Control (C&C) server.

Infection Cycle:

Upon execution the Trojan adds the following files to the filesystem:

  • %USERPROFILE%Local SettingsApplication DataKBxxxxxxx.exe – where ‘xxxxxxx’ is random 7 digits for every infection

This file is a copy of the original executable which is deleted upon execution. We observed the trojan adding an image in the following directory:

  • %USERPROFILE%Local SettingsTemp%RandomCharacters%.jpg


The Trojan adds the following keys to the windows registry to enable startup after reboot:

  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersonRun KBxxxxxxx “%USERPROFILE%Local SettingsApplication DataKBxxxxxxx.exe”
  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersonPoliciesExplorerRun KBxxxxxxx “%USERPROFILE%Local SettingsApplication DataKBxxxxxxx.exe”
  • HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersonRun KBxxxxxxx “%USERPROFILE%Local SettingsApplication DataKBxxxxxxx.exe”
  • HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersonPoliciesExplorerRun KBxxxxxxx “%USERPROFILE%Local SettingsApplication DataKBxxxxxxx.exe”

The Trojan also adds the following keys to the windows registry:

  • HKEY_CURRENT_USERSoftwareMicrosoftsystem32_Reg32Path KBxxxxxxx “%USERPROFILE%Local SettingsApplication DataKBxxxxxxx.exe”
  • HKEY_LOCAL_MACHINESOFTWAREMicrosoftsystem32_Reg32Path KBxxxxxxx “%USERPROFILE%Local SettingsApplication DataKBxxxxxxx.exe

We observed the following sequence of communication with the C&C:


After the malware executed we observed that our account was now added to a group without our knowledge.


Soon enough our account was suspended because of suspected malicious activity.


A close observation of the above image reveals that the image being uploaded on our account is the same image that was saved locally as mentioned above. All the images stored on the C&C from images.txt file have the same theme, they try to promote as a service that can show who visits pages on our account. Such services try to lure users and obtain sensitive personal information. redirects the users to where it asks them to enter their VK nickname. It then claims to create a report containing a list of people who visited their account. Lastly it asks for the users phone number to provide further information.


We observed the malware download publicly available photos from belonging to the groups mentioned in the groups.txt file. This happens irrespective of whether the victim is part of or not.

The main purpose of this campaign is to upload images promoting services on users VK account, thereby trying to lure more and more people into using their services. In doing so users give out their personal information.

Dell SonicWALL Gateway AntiVirus provides protection against this threat via the following signature:

  • GAV: Delf.RBQ (Trojan)
  • Security News
    The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.