Win32/Delf.RBQ [Threat Name] go to Threat

Win32/Delf.RBQ [Threat Variant Name]

Category trojan
Size 193024 B
Detection created Jan 10, 2013
Detection database version 7881
Aliases Win32:DelfInject (Avast)
  DR/Delphi.Gen (Avira)
  Trojan.Inject.GO (BitDefender)
Short description

Win32/Delf.RBQ is a trojan that steals sensitive information. The trojan attempts to send gathered information to a remote machine.


When executed, the trojan copies itself in some of the the following locations:

  • %localappdata%\­KB%variable%\­KB%variable1%.exe
  • %appdata%\­KB%variable1%\­KB%variable1%.exe
  • %windir%\­KB%variable1%\­KB%variable1%.exe

In order to be executed on every system start, the trojan sets the following Registry entries:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Policies\­Explorer\­Run]
    • "KB%variable1%" = "%malwarefilepath%"
  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­CurrentVersion\­Policies\­Explorer\­Run]
    • "KB%variable1%" = "%malwarefilepath%"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "KB%variable1%" = "%malwarefilepath%"
  • [HKEY_CURRENT_USER\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "KB%variable1%" = "%malwarefilepath%"

The following Registry entries are set:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­system_Reg32]
    • "UID" = "%variable2%"
    • "Path" = "%copiedfilepath%"
  • [HKEY_CURRENT_USER\­SOFTWARE\­Microsoft\­system_Reg32]
    • "UID" = "%variable2%"
    • "Path" = "%copiedfilepath%"

A string with variable content is used instead of %variable1-2% .

The trojan may set the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Winlogon\­SpecialAccounts\­UserList]
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Control\­Lsa]
    • "limitblankpassworduse" = 0
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­ControlSet001\­Control\­Lsa]
    • "limitblankpassworduse" = 0
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­ControlSet002\­Control\­Lsa]
    • "limitblankpassworduse" = 0
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­ControlSet003\­Control\­Lsa]
    • "limitblankpassworduse" = 0

The trojan launches the following processes:

  • %windir%\­system32\­svchost.exe
  • %windir%\­syswow64\­svchost.exe
  • %windir%\­explorer.exe
  • %defaultbrowser%
  • %malwarefilepath%

The trojan creates and runs a new thread with its own code within these running processes.

After the installation is complete, the trojan deletes the original executable file.

Information stealing

The trojan searches for cookies with login sessions related to social networking sites.

The following social networking sites are affected:

  • VKontakte

The following programs are affected:

  • Google Chrome
  • Internet Explorer
  • Mozilla Firefox
  • Opera

The trojan searches for the following cookie files:

  • %appdata%\­Opera\­Opera\­cookies4.dat
  • %appdata%\­Mozilla\­Firefox\­Profiles\­%profile%\­cookies.sqlite
  • %localappdata%\­Google\­Chrome\­User Data\­Default\­Cookies

If the trojan finds the appropriate cookie, its content is sent to the following remote computer:

  • http://go%removed%te.php?mo%removed%
Other information

The trojan acquires data and commands from a remote computer or the Internet.

The trojan contains a list of (2) URLs. The HTTP protocol is used.

It can execute the following operations:

  • download files from a remote computer and/or the Internet
  • run executable files
  • update itself to a newer version

Please enable Javascript to ensure correct displaying of this content and refresh this page.