VirTool:Win32/DelfInject.gen!BI is a generic detection for malware that has been obfuscated in order to hinder detection and/or removal. The loader is written in Delphi and the malicious code is stored encrypted.
In the wild, this malware may be distributed as any of the following file names:
<3 digit number>.exe
When run, the malware code is decrypted and injected into the Windows "explorer.exe" process. The malware then drops itself to the local drive, as in the following example:
The registry is modified to run the dropped malware at each Windows start, as in the following example:
Sets value: "Taskman"
With data: "%USERPROFILE%\Application Data\tbsz.exe"
In subkey: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Connects to remote server
The malware reports its installation to a remote server and sends information about the affected computer for spam e-mail purposes. One example of a remote server name contacted is "sec11.helohmar.com".
Analysis by Vincent Tiu