Win32/AutoRun.PSW.Delf.C [Threat Name] go to Threat

Win32/AutoRun.PSW.Delf.C [Threat Variant Name]

Category worm
Size 649216 B
Detection created May 22, 2010
Detection database version 5137
Aliases Worm.Win32.AutoRun.cbxr (Kaspersky)
  W32/Autorun.worm.bcf.virus (McAfee)
  Worm:Win32/Verst.A (Microsoft)
  W32.Pilleuz (Symantec)
  Worm.P2P.Palevo.JI (BitDefender)
Short description

Win32/AutoRun.PSW.Delf.C is a worm that spreads via removable media.


When executed, the worm copies itself into the following location:

  • %commonappdata%\­srtserv\­%originalmalwarefilename%

In order to be executed on every system start, the worm sets the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "srtserv" = "%commonappdata%\­srtserv\­%originalmalwarefilename%"
  • [HKEY_CURRENT_USER\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "srtserv" = "%commonappdata%\­srtserv\­%originalmalwarefilename%"

The worm creates the following file:

  • %commonappdata%\­srtserv\­sdata.dll (23552 B, Win32/AutoRun.Delf.DK)

The library is loaded and injected in all processes.

The worm may create the following files:

  • %commonappdata%\­srtserv\­sdata2.dll (23040 B, Win32/AutoRun.PSW.Delf.G)

The following services are disabled:

  • ShellHWDetection
Spreading on removable media

The worm copies itself into the root folders of removable drives using the following name:

  • %originalmalwarefilename%

The following file is created in the same folders:

  • autorun.inf

The AUTORUN.INF file contains the path to the malware executable.

Thus, the worm ensures it is started each time infected media is inserted into the computer.

The worm copies itself into the root folders of removable drives with the filename based on the name of an existing file or folder.

Information stealing

Win32/AutoRun.PSW.Delf.C is a worm that steals sensitive information.

The worm collects the following information:

  • login passwords for certain applications/services
  • user name
  • computer name
  • information about the operating system and system settings

The following services are affected:

  • WebMoney

The worm can send the information to a remote machine.

Other information

The worm acquires data and commands from a remote computer or the Internet.

The worm contains a list of (8) URLs. The HTTP protocol is used.

It can execute the following operations:

  • download files from a remote computer and/or the Internet
  • run executable files
  • update itself to a newer version
  • send gathered information

The worm sends HTTP requests to simulate clicks on banner advertisements, to inflate web counter statistics etc.

The worm may delete the following folders:

  • %appdata%\­Webmoney\­

The worm may delete the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Control\­SafeBoot]

The worm keeps various information in the following Registry key:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­MSrtn]

The worm hides its presence in the system.

The worm hooks the following Windows APIs:

  • ZwQueryDirectoryFile (ntdll.dll)
  • ZwQuerySystemInformation (ntdll.dll)
  • ZwOpenProcess (ntdll.dll)

Please enable Javascript to ensure correct displaying of this content and refresh this page.