Troj/Dalixy-B is a backdoor Trojan for the Windows platform.
The Trojan allows a malicious user remote access to an infected computer.
When executed the Trojan copies itself to the Windows folder as winlogon.exe, drops the file ws3_32.dll and attempts to download and run the files dfp.exe, pspv.exe and winls.exe.
These three downloaded files are password recovery tools which, when run by the Trojan, leave their output in the files windows.ini, windows2.ini and windows4.ini in the Windows folder.
These files and applications are not malicious by themselves but are a security risk and should be deleted.
In order to run automatically when Windows starts up Troj/Dalixy-B creates the following registry entries:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
winlogon = C:\WINDOWS\winlogon.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
winlogon = C:\WINDOWS\winlogon.exe
The Trojan also creates the following registry entry:
HKLM\Software\Classes\CLSID\(57853A3E-0C30-4654-A335-7189A22B973F)\
InProcServer32\
ws3_32.dll
and changes:
HKLM\Software\Microsoft\OLE
EnableDCOM = N
The Trojan provides proxy functionality on a random port and registers the infection by sending an email and connecting to the IRC network
Troj/Dalixy-B has functionality to collect passwords and other sensitive information.