TROJ_DELF.VI

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Arrival Details

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Trojan drops the following copies of itself into the affected system:

• %User Temp%\2.exe

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003.)

It creates the following folders:

• %Windows%\Debug\_tmp

(Note: %Windows% is the Windows folder, which is usually C:\Windows or C:\WINNT.)

Autostart Technique

This Trojan registers itself as a BHO to ensure its automatic execution every time Internet Explorer is used by adding the following registry keys:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Explorer\
Browser Helper Objects\{5BF30720-20EA-4B01-8C6A-21D3B0428FD0}

Other System Modifications

This Trojan deletes the following files:

• %Windows%\addins\~4.tmp
• %Windows%\AppPatch\~5.tmp
• %Windows%\Config\~6.tmp
• %Windows%\Connection Wizard\~7.tmp
• %Windows%\Cursors\~8.tmp
• %Windows%\Debug\~9.tmp
• %Windows%\Driver Cache\~A.tmp
• %Windows%\ehome\~B.tmp
• %Windows%\Help\~C.tmp
• %Windows%\ime\~D.tmp
• %Windows%\java\~E.tmp
• %Windows%\Media\~F.tmp
• %Windows%\msagent\~10.tmp
• %Windows%\msapps\~11.tmp
• %Windows%\mui\~12.tmp
• %Windows%\Offline Web Pages\~13.tmp
• %Windows%\pchealth\~14.tmp
• %Windows%\PeerNet\~15.tmp
• %Windows%\Prefetch\~16.tmp
• %Windows%\Provisioning\~17.tmp
• %Windows%\pss\~18.tmp
• %Windows%\Registration\~19.tmp
• %Windows%\repair\~1A.tmp
• %Windows%\Resources\~1B.tmp
• %Windows%\security\~1C.tmp
• %Windows%\SoftwareDistribution\~1D.tmp
• %Windows%\srchasst\~1E.tmp
• %System%\~1F.tmp
• %System%\~20.tmp
• %Temp%\~21.tmp
• %Windows%\twain_32\~22.tmp
• %Windows%\Web\~23.tmp
• %Windows%\WinSxS\~24.tmp

(Note: %Windows% is the Windows folder, which is usually C:\Windows or C:\WINNT.. %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.. %Temp% is the Windows Temporary folder, which is usually C:\Windows\Temp or C:\WINNT\Temp.)

It adds the following registry keys:

HKEY_CLASSES_ROOT\CLSID\{5BF30720-20EA-4B01-8C6A-21D3B0428FD0}

HKEY_CLASSES_ROOT\CLSID\{5BF30720-20EA-4B01-8C6A-21D3B0428FD0}\
InprocServer32

It adds the following registry entries:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{5BF30720-20EA-4B01-8C6A-21D3B0428FD0}\InprocServer32
ThreadingModel = "Apartment"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Explorer\
Browser Helper Objects\{5BF30720-20EA-4B01-8C6A-21D3B0428FD0}
NoExplorer = 1

Dropping Routine

This Trojan drops the following files:

• %User Temp%\3.tmp
• %Windows%\inf\machines.inf
• %System%\SET8.dll
• %Windows%\Provisioning\WMSysPr9.cpl
• %Windows%\Debug\WMSysPr9.dll
• %Windows%\WinSxS\Sti_Trace.dll

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003.. %Windows% is the Windows folder, which is usually C:\Windows or C:\WINNT.. %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.)

Other Details

This Trojan connects to the following possibly malicious URL:

• http://www.{BLOCKED}mil.kit.net/temp/
• http://www.{BLOCKED}mil.kit.net/temp/Pis4CJSbjs0A.js
• http://www.{BLOCKED}mil.kit.net/temp/IYhs3AIRajrz.js

This report is generated via an automated analysis system.