TrojanSpy:Win32/Delf.CL

TrojanSpy:Win32/Delf.CL is a malware binary written in Delphi and packed with a custom packer to make analysis harder. It gathers email accounts with their associated credentials from the affected computer and then sends them out to a remote attacker.

Installation

TrojanSpy:Win32/Delf.CL is present in the computer as the following file:

%AppData%\svchost.exe

Note that a legitimate Windows file also named "svchost.exe" exists by default in the Windows system folder.

To ensure that it automatically runs every time Windows starts, it creates the following registry entry:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "svchost"
With data: "%AppData%\svchost.exe"

It also creates the following registry entry as part of its installation routine:

In subkey: HKCU\Software\UPD
Sets value: "CHK"
With data: "d41d8cd98f00b204e9800998ecf8427e"

Payload

Attempts to steal email accounts
TrojanSpy:Win32/Delf.CL gathers email account login information such as the following:

• Server address
• Connection type
• User name
• Password

from the following applications:

• Becky Internet Mail
• Eudora
• Forte Agent
• Gmail Notifier
• Group Mail
• Incredimail
• Mail.Ru agent
• Mail Commander
• Microsoft Outlook
• Opera
• PocoMail 3
• PocoMail 4
• Pop Peeper
• Safari
• Scribe
• The Bat!
• Thunderbird
• Vypress Auvis
• Windows Live Mail
• Windows Mail

It then attempts to connect to the server "epatage-group.kiev.ua" possibly to send its stolen data.

Analysis by Marian Radu