W32/Delf.JQ!tr.spy

Analysis

• Displays the following messge box when first executed:

  Title: Installed Successfully Message: Thank Q for Upgrading Patch. This Patch Enables Security to Your Computer Now the bug called .gif *.gif are fixed with this patch... For more information send us email to support@limewire.com with your Orderid

• Copies itself to the System folder as vedqg.exe.
  
• Drops the file pdvsf.jyg  to the System folder. This file contains encrypted text strings.
  
• Drops the file vedqg.dll  to the Windows folder, and injects it into the Explorer.exe  process. This dropped file is also detected as W32/Delf.JQ!tr.spy.
  Autostart Mechanism
  
• Creates the following registry entry:

  HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components\{pycuvsdp-kaki-ebkr-egtg-gjcuiewwdvdm}
    StubPath = "undefinedSYSTEMundefined\vedqg.exe"

  
  Backdoor and/or Trojan Behavior
  
• Creates the following registry entries:

  HKEY_CURRENT_USER\Software\Adobe\SUBG
    SUB = "undefinedSYSTEMundefined\vedqg.exe"
    SUBZ = "pdvsf.jyg"

• Modifies the following registry entry:

  HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\srservice   Start = dword:00000004

  This disables the System Restore Service.
  
• Steals the following information and sends them to a specific Gmail address:
  
  • Running processes
  • Clipboard contents
  • Keystrokes
  • Browser history
  • Firefox passwords