Troj/Delf-FG is a multicomponent backdoor Trojan for the Windows platform.
Troj/Delf-FG may arrive as a file called server.exe that is a dropper component. When executed server.exe extracts the following Trojan components to the Windows system folder:
IEHelper.dll - "IE 4.x-5.x BHO in ObjectPascal"
inst.exe - BHO installer
e.exe - main Trojan executable
by.bat - batch file that deletes above mentioned files including dropper file
When executed e.exe copies itself to the Windows folder with the filenames svchost.exe and winlogon.exe, and also creates the following data log files in the Windows system folder:
mmsys.sys
system.hnd
winsloc.drv
winsock.drv
winver.dll
In order to run automatically when Windows starts up Troj/Delf-FG creates the following registry entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\System Manager
with the path to the svchost.exe.
In connection with the installed BHO Troj/Delf-FG sets the following registry entries:
HKCR\CLSID\(xxx)\
@ = "IE 4.x-5.x BHO in ObjectPascal"
HKCR\CLSID\(xxx)\InprocServer32\
@ = <WINDOWS>\\<system>\\IEHelper.dll"
HKCR\CLSID\(xxx)\InprocServer32\ThreadingModel = "Apartment"
HKCR\CLSID\(xxx)\ProgID\@ = "IEHelper.IEHelperOP"
HKCR\IEHelper.IEHelperOP\@ = "IE 4.x-5.x BHO in ObjectPascal"
HKCR\IEHelper.IEHelperOP\Clsid\@ = "(xxx)"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\
Browser Helper Objects\(xxx)\
where (xxx) is a BHO class id (3A4E6FF3-BF59-446E-9DC8-731BCE2F349A).
Troj/Delf-FG queries for the members.lycos.co.uk host in attempt to get access to the following locations:
/mooncrew777/usrmessages/scs12.php?nogrn&status
/mooncrew777/usrmessages/count.php?ik=ndppbzn
/mooncrew777/usrmessages/gcc12.php?nogrn
Troj/Delf-FG deletes a number of registry settings including those under the
HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\
Detection for the Troj/Delf-FG Trojan provides detection for the dropper file, main executable, a BHO component and a batch file.