Win32/Delf.TSU [Threat Name] go to Threat

Win32/Delf.TSU [Threat Variant Name]

Category trojan
Size 139264 B
Detection created Aug 15, 2017
Detection database version 15920
Short description

Win32/Delf.TSU is a trojan that installs Win32/TrojanProxy.Hioles.AD malware.

Installation

The trojan is probably a part of other malware.


The trojan needs the following files to run:

  • %malwarefolder%\­mozglue.dat

The trojan extracts "mozglue.dat" archive content into the following folder:

  • %appdata%\­SecAdobe\­

The %appdata%\SecAdobe\ folder may have the System (S) and Hidden (H) attributes set in attempt to hide the folder in Windows Explorer.


The trojan creates the following files:

  • %appdata%\­SecAdobe\­winupd.exe (392872 B)
  • %appdata%\­SecAdobe\­uTorrent.exe (2347 kB)
  • %appdata%\­SecAdobe\­mozglue.dll (24064 B, Win32/Delf.TSU)

The files are then executed.


The trojan creates the following file:

  • %appdata%\­SecAdobe\­tmp.dat (83744 B)

The file is then decrypted and executed.


The file contains the program code of the following malware:

  • Win32/TrojanProxy.Hioles.AD

In order to be executed on system start, the trojan sets the following Registry entry:

  • [HKEY_CURRENT_USER\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "winlogon" = "%appdata%\­SecAdobe\­winupd.exe"

The following Registry entries are created:

  • [HKEY_CURRENT_USER\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Explorer\­StartupApproved\­Run]
    • "winlogon" = 2305843009213693952
Other information

The trojan can detect presence of debuggers and other analytical tools.


The trojan terminates its execution if it detects that it's running in a specific virtual environment.

Please enable Javascript to ensure correct displaying of this content and refresh this page.