TrojanDropper:Win32/Delf.BC creates a remote connection, downloads a password stealer from a predefined remote Web site and captures then sends passwords entered in all application windows.
Installation
When Win32/Delf.BC is executed, it will drop the following files into the Windows system folder:
abchelp.exe - copy of Win32/Delf.BC
winhelp32.exe - copy of Win32/Delf.BC
directx.exe - copy of Win32/Delf.BC
system.exe - trojan dropper
The registry is modified to run the dropped copies at each Windows start.
Adds value: run
With data: "winhelp32.exe"
To subkey: HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows
Modifies value: shell
With data: "explorer.exe <system folder>\directx.exe"
To subkey: HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Adds value: default
With data: "abchelp.exe"
To subkey: HKCU\Software\Microsoft\Windows NT\CurrentVersion\RunServices
Win32/Delf.BC will then launch the files '<system folder>\abchelp.exe' and '<system folder>\system.exe'. The dropper component 'system.exe' drops the following file:
<system folder>\iexplore .exe
The registry is modified to run the dropped copy at each Windows start.
Adds value: "mssysint"
With data: "iexplore .exe"
To subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
Payload
Downloads Malware
When the dropped component 'iexplorer .exe' executes, it connects to a predefined remote Web site named '365i.51.net' and downloads a password stealing trojan named 'pwdbox101.exe'.
The registry may be modified with the addition of a registry subkey and data.
Adds value: "tmUpgrade_p"
With data: "òâ"
To subkey: HKLM\Software\CLASSES\ZPwd_box
Creates Backdoor
The component 'iexplorer .exe' opens and awaits connections (from an attacker) on various UDP ports.
Captures Passwords
The downloaded password stealer is executed and it monitors all application windows where a user may input password. Captured passwords are sent to an attacker's predefined e-mail address via the trojan.
Analysis by Tim Liu
