Follow:

 

Trojan:Win32/Delf.LN


Trojan:Win32/Delf.LN is a trojan that reports and intercepts Internet traffic and may also download unwanted applications onto your computer.



What to do now

To detect and remove this threat and other malicious software that may be installed on your computer, run a full-system scan with an appropriate, up-to-date, security solution. The following Microsoft products detect and remove this threat:

Threat behavior

Trojan:Win32/Delf.LN is a trojan that reports and intercepts Internet traffic and may also download unwanted applications onto your computer.

Installation

Trojan:Win32/Delf.LN may be installed by other malware, or downloaded (via a drive-by download) onto your computer with the file name "bot_unencrypted.exe".

Once run, Trojan:Win32/Delf.LN attempts to copy and install itself with the file name "WtiSysSt.exe" into the following folder:

%SYSTEM%\wbem\

Note: <system folder> refers to a variable location that is determined by the malware by querying the operating system. The default installation location for the System folder for Windows 2000 and NT is "C:\WinNT\System32"; and for XP, Vista, and 7 it is "C:\Windows\System32".

The trojan installs itself as a system driver, possibly in order to hinder detection and removal. It does this by modifying the registry subkey "HKLM\SYSTEM\ControlSet\Services\SrvWinDrivs4" with the following values and data:

Sets value: "Description"
With data: "(blank)"

Sets value: "DisplayName"
With data: "SrvWinDrivs4"

Sets value: "ImagePath"
With data: "%SYSTEM%\wbem\WtiSysSt.exe", for example "C:\WINDOWS\System32\wbem\WtiSysSt.exe"

It also modifies the following registry entry to ensure that its copy runs at each Windows start:

In subkey: HKLM\SYSTEM\ControlSet\Services\SrvWinDrivs4
Sets value: "Start"
With data: "0x00000002"

Payload

Steals sensitive information

Trojan:Win32/Delf.LN may intercept HTTPS and HTTP traffic (secure and unsecure Internet data), so as to obtain your personal information, including the following:

  • Cookies
  • Passwords
  • User names
  • Website session histories

It sends this information to a remote host. In the wild, we have observed the trojan connecting to "1nfo.in/bot/in.php".

Trojan:Win32/Delf.LN can also act as a proxy, possibly to allow an attacker to use your network connection.

Downloads arbitrary files

Trojan:Win32/Delf.LN may attempt to connect to the following servers, possibly to download arbitrary files:

  • cdneu.extrimdownloadmanager.com
  • cdnus.extrimdownloadmanager.com
  • os.extrimdownloadmanager.com

Contacts remote host

Trojan:Win32/Delf.LN utilizes code injection to contact a remote host at "1nfo.in/bot/in.php".

When Trojan:Win32/Delf.LN runs, it injects code into the following processes:

  • lsass.exe
  • svchost.exe

Commonly, malware may contact a remote host for the following purposes:

  • To report a new infection to its author
  • To receive configuration or other data
  • To download and execute arbitrary files (including updates or additional malware)
  • To receive instruction from a remote attacker
  • To upload data taken from the affected computer
Additional information

The trojan can trick websites into believing you are using a different Internet browser or application, possibly in order to hinder detection and removal, such as:

  • Apple Safari
  • Avant Browser
  • Google Chrome
  • Mozilla Firefox

Analysis by Patrik Vicol


Symptoms

System changes

The following system changes may indicate the presence of this malware:

  • The presence of the following file:

    %SYSTEM%\wbem\WtiSysSt.exe
     
  • The presence of the following registry modifications:

    In subkey: "HKLM\SYSTEM\ControlSet\Services\SrvWinDrivs4"
    Sets value: "Description"
    With data: "(blank)"

    In subkey: "HKLM\SYSTEM\ControlSet\Services\SrvWinDrivs4"
    Sets value: "DisplayName"
    With data: "SrvWinDrivs4"

    In subkey: "HKLM\SYSTEM\ControlSet\Services\SrvWinDrivs4"
    Sets value: "ImagePath"
    With data: "%SYSTEM%\wbem\WtiSysSt.exe", for example "C:\WINDOWS\System32\wbem\WtiSysSt.exe"

    In subkey: "HKLM\SYSTEM\ControlSet\Services\SrvWinDrivs4"
    Sets value: "Start"
    With data: "0x00000002"


Prevention


Alert level: Severe
First detected by definition: 1.129.1589.0
Latest detected by definition: 1.133.19.0 and higher
First detected on: Jul 13, 2012
This entry was first published on: Jul 13, 2012
This entry was updated on: Sep 12, 2012

This threat is also detected as:
  • BackDoor.DirtJump.236 (Dr.Web)
  • TR/Barys.547.4 (Avira)
  • TROJ_SPNR.0BHH12 (Trend Micro)
  • Worm/Win32.Joleee (AhnLab)