Threat behavior
VirTool:Win32/DelfInject.gen!BI is a generic detection for malware that has been obfuscated in order to hinder detection and/or removal. The loader is written in Delphi and the malicious code is stored encrypted.
Installation
In the wild, this malware may be distributed as any of the following file names:
<3 digit number>.exe
livemessenger.com
nodesetsups.exe
msnmgr.exe
msn.exe
avsxrc.exe
When run, the malware code is decrypted and injected into the Windows "explorer.exe" process. The malware then drops itself to the local drive, as in the following example:
%USERPROFILE%\Application Data\tbsz.exe
The registry is modified to run the dropped malware at each Windows start, as in the following example:
Sets value: "Taskman"
With data: "%USERPROFILE%\Application Data\tbsz.exe"
In subkey: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Payload
Connects to remote server
The malware reports its installation to a remote server and sends information about the affected computer for spam e-mail purposes. One example of a remote server name contacted is "sec11.helohmar.com".
Analysis by Vincent Tiu
Prevention