Win32/Delf.NRB [Threat Name] go to Threat

Win32/Delf.NRB [Threat Variant Name]

Category worm
Size 563712 B
Detection created Oct 28, 2008
Detection database version 3564
Aliases W32.SillyFDC (Symantec)
  Worm.Win32.AutoRun.bohi (Kaspersky)
  Generic.dx!tko (McAfee)
Short description

Win32/Delf.NRB is a worm that spreads via removable media.

Installation

When executed, the worm copies itself into the following location:

  • %userprofile%\­WINDOWS\­svchost.exe

In order to be executed on every system start, the modifies the following Registry key:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "svchost" = "%userprofile%\­WINDOWS\­svchost.exe start"
Spreading on removable media

Win32/Delf.NRB is a worm that spreads via removable media.


The worm copies itself into the root folders of removable drives using a random filename. The filename has the following extension:

  • .exe

The following file is dropped in the same folder:

  • autorun.inf

Thus, the worm ensures it is started each time infected media is inserted into the computer.

Other information

The worm acquires data and commands from a remote computer or the Internet. The URL address is generated randomly.


The worm collects the following information:

  • computer name
  • user name

It can execute the following operations:

  • capture webcam video/voice
  • run executable files
  • send gathered information

Please enable Javascript to ensure correct displaying of this content and refresh this page.