Win32/Delf.NXA [Threat Name] go to Threat

Win32/Delf.NXA [Threat Variant Name]

Category trojan,worm
Size 16384 B
Detection created Jan 14, 2009
Detection database version 3766
Aliases Trojan:Win32/Killav.EA (Microsoft)
  Backdoor.Dckane (Symantec)
Short description

Win32/Delf.NXA is a worm that spreads via e-mail. The worm can download and execute a file from the Internet.

Installation

When executed, the worm copies itself into the following location:

  • %windir%\­QQMail.exe

The worm creates the following file:

  • %system%\­QQMail.dll

In order to be executed on every system start, the worm sets the following Registry entry:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "QQMail" = "%windir%\­QQMail.exe"
Other information

The worm creates and runs a new thread with its own program code in all running processes.


When an e-mail is composed on the infected system, the worm can attach a copy of itself to the message.


The worm may create copies of itself in the folder:

  • %temp%

The following filename is used:

  • DSC00000.pif

The worm contains an URL address.


It tries to download a file from the address.


The file is stored in the following location:

  • %temp%\­whoami.exe

The HTTP protocol is used.


The file is then executed.

Please enable Javascript to ensure correct displaying of this content and refresh this page.