Threat behavior
TrojanSpy:Win32/Delf.HF is a Trojan data stealer for "TianLongBaBu", a popular massive-multiplayer online role playing game (MMORPG).
Installation
If this Trojan is run, it installs itself as a Browser Helper Object (BHO) by dropping a file into the Windows system folder, and then registers the dropped file to run when Windows starts as in this example:
Adds value with data:
"(default)" = "<system folder>\exppri.dll"
Within subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\
{242BC422-2712-124C-2F54-22B35C62B1E2}\InprocServer32
Adds value with data:
"{242BC422-2712-124C-2F54-22B35C62B1E2}" = "exppri.dll"
Within subkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\explorer\ShellExecuteHooks
Payload
This Trojan may disable Windows Autoupdate and options to enable it by altering the following registry entry:
Modifies values:
"NoAutoUpdate" = "0"
"AU AUOptions" = "0"
Within subkey: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\WindowsUpdate\AU
Next, the Trojan identifies if "TianLongBaBu" is running by calling the Windows function "FindWindow" to find the window "TianLongBaBu WndClass". The Trojan will also searches for the following game file on all drives:
\Tianlongbabu\Bin\UI_CEGUI.dll
If the game is found, the Trojan captures game user's name, password, server information, nickname, level/money information and sends it to the Trojan author.
Prevention
