Win32:Delf-FT [Trj]

Viruses and worms
1

Hi there!
Thanks to Avast, I found and deleted Win32:Delf-FT [Trj] hidden in a Local Setting\History\History.IE5\index.dat file. But I can barely find any information about this virus and I was wondering what harm it can have done to my computer. I found that some virus in index.dat are used for DoS attacks, is it the case for this one? Did it have any effect since I’m using Firefox?

Thanks in advance for any information :slight_smile:

2

It is supposedly a trojan backdoor, however, the file it was detected in seems strange as it isn’t an executable file so it could have been an incorrect detection.

Did you try a google search for Win32:Delf-FT as this returns 282 hits, this is just one http://www.emsisoft.com/en/malware/?Backdoor.Win32.Delf.ft. One defence against backdoors, is keeping your security software up to date and having a firewall that can stop unauthorised outbound internet connections.

What is your firewall and OS ?
Any malware that manages to get past your defences will have free reign to connect to the internet to either download more of the same, pass your personal data (user names, passwords, keylogger retrieved data, etc.) or open a backdoor to your computer, so outbound protection is essential.

For the future, deletion is never a good first option, you have none left, ‘first do no harm’ don’t delete, send virus to the chest and investigate.

There is no rush to delete anything from the chest, they can’t do any harm there. Anything that you send to the chest you should leave there for a week or two. If after that time you have suffered no adverse effects from moving these to the chest, scan them again (inside the chest) and if they are still detected as viruses, delete them.

3

Thanks for this quick answer :slight_smile:

Yes, the google search was the reason for my question since on one hand some websites say this virus is supposed to be a backdoor while on the other hand the use of index.dat seems to be the indication of another kind of virus.

I’m using XP SP2 and I have Zonealarm 6.5.731.000. As long as I check carefully which program is asking to “go out”, there is no risk the virus can “override” Zonealarm and open a port by himself?

4

Unfortunately since you have deleted the index.dat file there is no way to confirm that by examination at the likes of VirusTotal - Multi engine on-line virus scanner
Or Jotti - Multi engine on-line virus scanner if any other scanners here detect them it is less likely to be a false positive. You can’t do this with the file in the chest (protected area), you would need to move it out.

Yes, ZA provides reasonable outbound protection, but there is no way I would say there is no risk this or another trojan could elude ZA free, the ZA Pro has better outbound protection but it comes at a price. ZA doesn’t open the ports as such the application makes the attempt to connect and ZA (or other firewall) monitors it if it is a new application it should challenge the request for connection if allowed, it lets it through. It is possible that some could get through, see the Firewall Leak Test link below.

See some firewall tests for comparison, some are freeware but many are paid for versions http://www.firewallleaktester.com/tests.php. Also see http://www.thefreecountry.com/security/firewalls.shtml