Threat behavior
Trojan:Win32/Delf.IY is a detection on one of the trojan downloader component that downloads online banking password stealer trojans from a predefined Web address.
Installation
When run, Trojan:Win32/Delf.IY creates a copy of itself as the following file:
<system folder>\wlconex.exe
The registry is modified to run the trojan copy at each Windows start.
Adds value: "cwlconex"
With data: “<system folder>\wlconex.exe"
To subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
The trojan creates a service to execute the trojan downloader.
Adds value: "ImagePath"
With data: "%ProgramFiles%\gbplugin\gbpsvx.exe"
To subkeys:
HKLM\SYSTEM\ControlSet001\Services\GbpSv
HKLM\SYSTEM\ControlSet002\Services\GbpSv
HKLM\SYSTEM\ControlSet003\Services\GbpSv
Additional Information
The installed malware runs with other components downloaded and installed by
TrojanDownloader:Win32/Delf.JA. For more information about this trojan, see the description elsewhere in the encyclopedia.
Analysis by Wei Li
Prevention
