Delsim Trojan Win32.Trojan.Dialer.EJ & Avast does not react

[REDACTED]

I am using the last and updated version of Avast Home.
But it does not see the trojan on my lap-top.
Windows version XP-Home
Info about trojan:
Threat name
Win32.Trojan.Dialer.EJ
Filename
%%CommonFilesFolder%%\delsim\del.exe
Here is I found an info of manual deliting:
Kill processes:
csrss.exe, del.exe, dont delete me.exe, msn.exe, msnpaint.exe, notedpad.exe, open me.exe, winfile.exe
Help: how to kill malicious processes

Delete registry values:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\update=%System%\winupdate\csrss.exe
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page=[site address 1]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Window Title=Warrior !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! By Mr.X
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TypedURLs\url[X]=[site address 2]
Help: how to remove registry entries

Delete files:
csrss.exe, del.exe, dont delete me.exe, msn.exe, msnpaint.exe, notedpad.exe, open me.exe, winfile.exe, d.bmp
Help: how to remove harmful files

Delete directories:
C:\Windows\System\winupdate
C:\Windows\System32\winupdate
C:\Winnt\System32\winupdate

Misc:
[X] is a number from 1 to 13.
[site address 1] is an address of a web site on the mrx-server.com domain.
[site address 2] is an address of a web site on the sex.nl domain.

Exact file location:
csrss.exe - C:\Windows\System\winupdate, C:\Windows\System32\winupdate or C:\Winnt\System32\winupdate
del.exe, dont delete me.exe, msn.exe, msnpaint.exe, notedpad.exe, open me.exe, winfile.exe, d.bmp - C:

Also additional info in here:
http://ca.com/us/securityadvisor/virusinfo/virus.aspx?id=63925

[DavidR]

Send the sample to virus@avast.com zipped and password protected with password in email body and undetected malware in the subject.

 Or you can also add the file to the User Files (File, Add) section of the avast chest where it can do no harm and send it from there (select the file, right click, email to Alwil Software). No need to zip and PW protect when the sample is sent from chest. A copy of the file/s will remain in the original location, so any further action you take can remove that.

You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner I feel virustotal is the better option as it uses the windows version of avast (more packers supported) and there are currently 32 different scanners.
Or Jotti - Multi engine on-line virus scanner if any other scanners here detect them it is less likely to be a false positive. Whichever scanner you use, you can't do this with the file in the chest, you will need to move it out.

[Lisandro]

Hope they improve detection on this one...
Today I've sent a sample to them too... Detection is not the best as it can nowadays...

[REDACTED]

Sent it Yesterday hope this will help

[fwttg]

I also got this virus in several W2K and W2K Server machines on our network. Fortunately I had a trial version of Norton AV which removed the virus on one machine. From the Norton AV log I got the following which allowed us to remove the Delsim Dialer from all of our machines:

Click for more information about this risk : Dialer.Trafficjam
Action taken: Removed
Description: Affected areas:
9 Files:
c:\program files\common files\delsim\del.exe - Deleted
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\DFRTIROU\go[1].exe - Detected
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\DFRTIROU\go[2].exe - Detected
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\L1HBKY2Y\go[1].exe - Detected
C:\t1e7i4k6x87.exe - Detected
C:\Documents and Settings\All Users\Start Menu\del.lnk - Deleted
c:\documents and settings\all users\start menu\del.lnk - No action required
c:\program files\common files\delsim\del.exe - No action required
C:\Program Files\Common Files\delsim - Deleted

5 Registry keys:
HKEY_USERS\.DEFAULT\Software\Delsim - Deleted
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\delsim - Deleted
HKEY_USERS\S-1-5-21-1177238915-1767777339-725345543-1000\Software\Microsoft\Internet Explorer\Main\Start Page - Repaired
HKEY_USERS\S-1-5-21-1177238915-1767777339-725345543-1002\Software\Microsoft\Internet Explorer\Main\Start Page - Repaired
HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main\Start Page - Repaired

The only issue remaing is that Avast finds WINNT\System32\sfc.dll to be infected. Quarantining or deleting sfc.dll disables startup.

FTG

[Lisandro]

Fortunately I had a trial version of Norton AV which removed the virus on one machine.

Thanks for helping to improve avast detection... nowadays we're seen many 'failures' on detection... it's a pity...