Home / malwarePDF  

Trojan:Win32/Delf.LN


First posted on 12 September 2012.
Source: Microsoft

Aliases :

Trojan:Win32/Delf.LN is also known as BackDoor.DirtJump.236 (Dr.Web), TR/Barys.547.4 (Avira), TROJ_SPNR.0BHH12 (Trend Micro), Worm/Win32.Joleee (AhnLab).

Explanation :



Trojan:Win32/Delf.LN is a trojan that reports and intercepts Internet traffic and may also download potentially unwanted applications onto your computer.



Installation

Trojan:Win32/Delf.LN may be installed by other malware, or downloaded (via a drive-by download) onto your computer with the file name "bot_unencrypted.exe".

Once run, Trojan:Win32/Delf.LN attempts to copy and install itself with the file name "WtiSysSt.exe" into the following folder:

%SYSTEM%\wbem\

Note: <system folder> refers to a variable location that is determined by the malware by querying the operating system. The default installation location for the System folder for Windows 2000 and NT is "C:\WinNT\System32"; and for XP, Vista, and 7 it is "C:\Windows\System32".

The trojan installs itself as a system driver, possibly in order to hinder detection and removal. It does this by modifying the registry subkey "HKLM\SYSTEM\ControlSet\Services\SrvWinDrivs4" with the following values and data:

Sets value: "Description"
With data: "(blank)"

Sets value: "DisplayName"
With data: "SrvWinDrivs4"

Sets value: "ImagePath"
With data: "%SYSTEM%\wbem\WtiSysSt.exe", for example "C:\WINDOWS\System32\wbem\WtiSysSt.exe"

It also modifies the following registry entry to ensure that its copy runs at each Windows start:

In subkey: HKLM\SYSTEM\ControlSet\Services\SrvWinDrivs4
Sets value: "Start"
With data: "0x00000002"

Payload

Steals sensitive information

Trojan:Win32/Delf.LN may intercept HTTPS and HTTP traffic (secure and unsecure Internet data), so as to obtain your personal information, including the following:

  • Cookies
  • Passwords
  • User names
  • Website session histories


It sends this information to a remote host. In the wild, we have observed the trojan connecting to "1nfo.in/bot/in.php".

Trojan:Win32/Delf.LN can also act as a proxy, possibly to allow an attacker to use your network connection.

Downloads arbitrary files

Trojan:Win32/Delf.LN may attempt to connect to the following servers, possibly to download arbitrary files:

  • cdneu.extrimdownloadmanager.com
  • cdnus.extrimdownloadmanager.com
  • os.extrimdownloadmanager.com


Contacts remote host

Trojan:Win32/Delf.LN utilizes code injection to contact a remote host at "1nfo.in/bot/in.php".

When Trojan:Win32/Delf.LN runs, it injects code into the following processes:

  • lsass.exe
  • svchost.exe


Commonly, malware may contact a remote host for the following purposes:

  • To report a new infection to its author
  • To receive configuration or other data
  • To download and execute arbitrary files (including updates or additional malware)
  • To receive instruction from a remote attacker
  • To upload data taken from the affected computer
Additional information

The trojan can trick websites into believing you are using a different Internet browser or application, possibly in order to hinder detection and removal, such as:

  • Apple Safari
  • Avant Browser
  • Google Chrome
  • Mozilla Firefox




Analysis by Patrik Vicol

Last update 12 September 2012

 

TOP

Malware :

Family: