Win32/Delf.OEN [Threat Name] go to Threat

Win32/Delf.OEN [Threat Variant Name]

Category trojan
Size 1137152 B
Detection created Mar 31, 2009
Detection database version 3978
Aliases Trojan.Win32.Buzus.kpdb (Kaspersky)
  VirTool:Win32/DelfInject (Microsoft)
Short description

Win32/Delf.OEN is a trojan which tries to download other malware from the Internet.

Installation

When executed, the trojan copies itself into the following location:

  • %allusersprofile%\­%variable0%\­%variable1%.exe

In order to be executed on every system start, the trojan sets the following Registry entries:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "%variable2%" = "%allusersprofile%\­%variable0%\­%variable1%.exe"

The trojan keeps various information in the following Registry keys:

  • [HKEY_CURRENT_USER\­Software\­%variable3%]
    • "%variable4%" = "%data%"
    • "%variable5%" = "%data%"

A string with variable content is used instead of %variable0-5% .


The trojan may create and run a new thread with its own program code within any running process.

Information stealing

The trojan collects the following information:

  • operating system version

The trojan attempts to send gathered information to a remote machine.

Other information

Win32/Delf.OEN is a trojan which tries to download other malware from the Internet.


The trojan acquires data and commands from a remote computer or the Internet.


The trojan contains a list of (15) URLs.


It tries to download several files from the addresses. The HTTP protocol is used.


The downloaded files contain encrypted executables.


After decryption, the trojan runs these files.

Please enable Javascript to ensure correct displaying of this content and refresh this page.