Win32/AutoRun.Delf.CB [Threat Name] go to Threat

Win32/AutoRun.Delf.CB [Threat Variant Name]

Category worm
Size 537088 B
Detection created May 28, 2009
Detection database version 4114
Aliases Virus.Win32.Delf.ct (Kaspersky)
  Generic.dx (McAfee)
  Win32.HLLW.Autoruner.1073 (Dr.Web)
Short description

Win32/AutoRun.Delf.CB is a worm that spreads by copying itself into the root folders of available drives.

Installation

When executed the worm copies itself in the following locations:

  • %windir%\­Help\­svcnost.exe
  • %commonstartup%\­startup1.exe

In order to be executed on every system start, the worm sets the following Registry entry:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "sdll32" = "%windir%\­Help\­svcnost.exe"

The following Registry entries are created:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Explorer\­Advanced]
    • "ShowSuperHidden" = 0
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Policies\­Explorer]
    • "NoFolderOptions" = 1
    • "NoFind" = 1
    • "NoRun" = 1

The following Registry entries are set:

  • [HKEY_CURRENT_USER\­Control Panel\­Desktop]
    • "ScreenSaveTimeOut" = 2
    • "SCRNSAVE.EXE" = "%system%\­ssmarque.scr"
  • [HKEY_CURRENT_USER\­Control Panel\­Screen Saver.Marquee]
    • "BackgroundColor" = "0 0 0"
    • "Font" = "Arial"
    • "Size" = 72
    • "Speed" = 7
    • "Text" = "-- VM13 huvilbar 1.0.2 --"
    • "TextColor" = "255 255 255"
Spreading

Win32/AutoRun.Delf.CB is a worm that spreads by copying itself into the root folders of available drives.


The following names are used:

  • autorun.exe
  • INSTALL.exe
  • MY DOCUMENTS.exe
  • SEX.exe
  • VM13.exe
  • Zurag.exe

The following file is dropped in the same folder:

  • autorun.inf

Thus, the worm ensures it is started each time infected media is inserted into the computer.

Other information

The worm displays the following dialog box:

The following programs are terminated:

  • cmd.exe
  • Excel.exe
  • mmc.exe
  • Msconfig.exe
  • notepad.exe
  • ntvdm.exe
  • Photoshop.exe
  • Regedit.exe
  • rstrui.exe
  • rundll32.exe
  • Taskmgr.exe
  • WinWord.exe
  • Wmplayer.exe
  • wordpad.exe

The worm may open the CD/DVD drive.


The worm creates the following files:

  • %system%\­RDOCURS.inf
  • c:\­res.bat

Please enable Javascript to ensure correct displaying of this content and refresh this page.