Win32/AutoRun.Delf.HH [Threat Name] go to Threat

Win32/AutoRun.Delf.HH [Threat Variant Name]

Category worm
Size 558080 B
Detection created Jul 09, 2010
Detection database version 5265
Aliases Trojan.Win32.Scar.cmjf (Kaspersky)
  Win32:Rootkit-gen (Avast)
  Trojan.Gen (Symantec)
Short description

Win32/AutoRun.Delf.HH is a worm that spreads via removable media. The worm can download and execute a file from the Internet.


When executed, the worm copies itself into the following location:

  • %windir%\­Sys\­RegSrvc.exe (558080 B)

In order to be executed on every system start, the worm sets the following Registry entry:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "MSkip" = "%windir%\­Sys\­RegSrvc.exe"

The following Registry entries are set:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Explorer\­Advanced]
    • "SuperHidden" = 0
    • "ShowSuperHidden" = 0
Spreading on removable media

The worm copies itself into the root folders of removable drives using the following name:

  • Start.exe

The following file is dropped in the same folder:

  • autorun.inf

Thus, the worm ensures it is started each time infected media is inserted into the computer.

Information stealing

The worm collects the following information:

  • computer name
  • user name
  • CPU information

The worm attempts to send gathered information to a remote machine.

Other information

The worm restarts the operating system if there is a window with any of the following strings in the name:

  • The Wireshark Network Analyzer

The worm acquires data and commands from a remote computer or the Internet.

The worm contains a list of (2) URLs. The HTTP protocol is used.

The worm can download and execute a file from the Internet.

Please enable Javascript to ensure correct displaying of this content and refresh this page.