Threat Database Trojans Trojan:BAT/Delosc.A


By ESGI Advisor in Trojans

Threat Scorecard

Ranking: 455
Threat Level: 20 % (Normal)
Infected Computers: 99,426
First Seen: January 26, 2012
Last Seen: September 20, 2023
OS(es) Affected: Windows

Trojan:BAT/Delosc.A is a trojan that was first detected in January of 2012. It has been linked to a malicious Romanian website, although there is no doubt that this malware attacker is not limited to this particular attack website. This website,, which translates as 'social assistance' or 'social welfare' was not considered as a dangerous website. In fact, this web page is quite popular and is near the top in search engine rankings. It seems that Trojan:BAT/Delosc.A may have been inserted into this website as a way to target more victims by taking advantage of the demand of this particular Romanian website.

How Criminals Use to Deliver Trojan:BAT/Delosc.A

The web page mentioned above attempts to help computer users by providing samples of how to fill out various official documents used in important transactions. However, criminals have managed to substitute these documents with malware such as Trojan:BAT/Delosc.A. To carry this attack out, criminals must have hacked this website, since its previous credentials and reputation do not make it likely that turned into an attack website overnight. Trojan:BAT/Delosc.A will be contained in an EXE file, which is disguised as cerere.doc, which should be a file for Microsoft Word ('cerere' means 'application' in Romanian, making it likely that this file is disguised as an application form for some kind of transaction). While the EXE file will contain a Microsoft Word icon, these are actually executables which install Trojan:BAT/Delosc.A on the victim's computer when the victim attempts to open them. Other malicious files on this website use icons imitating PDF files and Excel files. In a clever move, the criminals behind Trojan:BAT/Delosc.A attack have engineered their executable files so that they will drop and open the original Excel, Word or PDF file so that the victim will not be aware that Trojan:BAT/Delosc.A has infected their computer system.

How Trojan:BAT/Delosc.A Attacks Your Computer System

Apart from dropping the original file, the EXE file also drops a BAT file which security software detects as Trojan:BAT/Delosc.A. This BAT file named open_file is dropped in the Temporary files folder. The main task that Trojan:BAT/Delosc.A carries out on the victim's computer is detecting the presence of a program that is used in official Romanian government institutions. These are Indaco and Aplxpert, programs used for legal documents and public administration. It targets specific documents and folders with strings related to social assistance tasks, making it seem like the goal of the criminals behind Trojan:BAT/Delosc.A is to cause chaos within the Romanian government.


Trojan:BAT/Delosc.A may call the following URLs:


Most Viewed