This threat was spammed in an email message as a hyperlink. Users that clicked on the hyperlink, an encoded HTML file was downloaded and run. This encoded HTML file retrieved an additional .CHM file from '22.214.171.124'. The .CHM file uses a codebase exploit in order to retrieve and execute a binary file named "svchost.exe".
The file "svchost.exe" is a remote access Trojan that sends notification of its installation to a server-side PHP script; the server is located at the IP 126.96.36.199. The script captures submitted data into a log file for a malicious user to browse - the information contains information related to the compromised system such as machine name, user name and other information.
This remote access Trojan is a variant of "Delf".