Trojan:Win32/Delf.LN is a trojan that reports and intercepts Internet traffic and may also download unwanted applications onto your computer.
Installation
Trojan:Win32/Delf.LN may be installed by other malware, or downloaded (via a drive-by download) onto your computer with the file name "bot_unencrypted.exe".
Once run, Trojan:Win32/Delf.LN attempts to copy and install itself with the file name "WtiSysSt.exe" into the following folder:
%SYSTEM%\wbem\
Note: <system folder> refers to a variable location that is determined by the malware by querying the operating system. The default installation location for the System folder for Windows 2000 and NT is "C:\WinNT\System32"; and for XP, Vista, and 7 it is "C:\Windows\System32".
The trojan installs itself as a system driver, possibly in order to hinder detection and removal. It does this by modifying the registry subkey "HKLM\SYSTEM\ControlSet\Services\SrvWinDrivs4" with the following values and data:
Sets value: "Description"
With data: "(blank)"
Sets value: "DisplayName"
With data: "SrvWinDrivs4"
Sets value: "ImagePath"
With data: "%SYSTEM%\wbem\WtiSysSt.exe", for example "C:\WINDOWS\System32\wbem\WtiSysSt.exe"
It also modifies the following registry entry to ensure that its copy runs at each Windows start:
In subkey: HKLM\SYSTEM\ControlSet\Services\SrvWinDrivs4
Sets value: "Start"
With data: "0x00000002"
Payload
Steals sensitive information
Trojan:Win32/Delf.LN may intercept HTTPS and HTTP traffic (secure and unsecure Internet data), so as to obtain your personal information, including the following:
- Cookies
- Passwords
- User names
- Website session histories
It sends this information to a remote host. In the wild, we have observed the trojan connecting to "1nfo.in/bot/in.php".
Trojan:Win32/Delf.LN can also act as a proxy, possibly to allow an attacker to use your network connection.
Downloads arbitrary files
Trojan:Win32/Delf.LN may attempt to connect to the following servers, possibly to download arbitrary files:
-
cdneu.extrimdownloadmanager.com
-
cdnus.extrimdownloadmanager.com
-
os.extrimdownloadmanager.com
Contacts remote host
Trojan:Win32/Delf.LN utilizes code injection to contact a remote host at "1nfo.in/bot/in.php".
When Trojan:Win32/Delf.LN runs, it injects code into the following processes:
Commonly, malware may contact a remote host for the following purposes:
- To report a new infection to its author
- To receive configuration or other data
- To download and execute arbitrary files (including updates or additional malware)
- To receive instruction from a remote attacker
- To upload data taken from the affected computer
Additional information
The trojan can trick websites into believing you are using a different Internet browser or application, possibly in order to hinder detection and removal, such as:
-
Apple Safari
-
Avant Browser
-
Google Chrome
-
Mozilla Firefox
Analysis by Patrik Vicol