Troj/Delf-FG

Please follow the instructions for removing Trojans.

Troj/Delf-FG is a multicomponent backdoor Trojan for the Windows platform.

Troj/Delf-FG may arrive as a file called server.exe that is a dropper component. When executed server.exe extracts the following Trojan components to the Windows system folder:

IEHelper.dll - "IE 4.x-5.x BHO in ObjectPascal"
inst.exe - BHO installer
e.exe - main Trojan executable
by.bat - batch file that deletes above mentioned files including dropper file

When executed e.exe copies itself to the Windows folder with the filenames svchost.exe and winlogon.exe, and also creates the following data log files in the Windows system folder:

mmsys.sys
system.hnd
winsloc.drv
winsock.drv
winver.dll

In order to run automatically when Windows starts up Troj/Delf-FG creates the following registry entry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\System Manager

with the path to the svchost.exe.

In connection with the installed BHO Troj/Delf-FG sets the following registry entries:

HKCR\CLSID\(xxx)\
@ = "IE 4.x-5.x BHO in ObjectPascal"

HKCR\CLSID\(xxx)\InprocServer32\
@ = <WINDOWS>\\<system>\\IEHelper.dll"

HKCR\CLSID\(xxx)\InprocServer32\ThreadingModel = "Apartment"

HKCR\CLSID\(xxx)\ProgID\@ = "IEHelper.IEHelperOP"

HKCR\IEHelper.IEHelperOP\@ = "IE 4.x-5.x BHO in ObjectPascal"

HKCR\IEHelper.IEHelperOP\Clsid\@ = "(xxx)"

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\
Browser Helper Objects\(xxx)\

where (xxx) is a BHO class id (3A4E6FF3-BF59-446E-9DC8-731BCE2F349A).

Troj/Delf-FG queries for the members.lycos.co.uk host in attempt to get access to the following locations:

/mooncrew777/usrmessages/scs12.php?nogrn&status
/mooncrew777/usrmessages/count.php?ik=ndppbzn
/mooncrew777/usrmessages/gcc12.php?nogrn

Troj/Delf-FG deletes a number of registry settings including those under the

HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\

Detection for the Troj/Delf-FG Trojan provides detection for the dropper file, main executable, a BHO component and a batch file.