Win32/Delf.NBW [Threat Name] go to Threat

Win32/Delf.NBW [Threat Variant Name]

Category virus,worm
Size 3280406 B
Aliases Trojan:Win32/Bancteian!rfn (Microsoft)
Short description

Win32/Delf.NBW is a file infector. The virus collects various sensitive information. The virus attempts to send gathered information to a remote machine.


When executed the virus copies itself in the following locations:

  • %windir%\­wininit.exe
  • %localappdata%\­Svchost.exe
  • %appdata%\­Spoolsv.exe

In order to be executed on every system start, the virus sets the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Winlogon]
    • "Userinit" = "userinit.exe, cmd.exe /c start %windir%\­wininit.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "Microsoft Windows" = "%malwarefilepath%"

The following Registry entries are set:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Explorer\­Advanced]
    • "ShowSuperHidden" = 0
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Winlogon]
    • "Shell" = "Explorer.exe"

The virus may set the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­CurrentVersion\­Policies\­System]
    • "ConsentPromptBehaviorAdmin" = 0
    • "PromptOnSecureDesktop" = 0
    • "EnableLUA" = 0

The following programs are terminated:

  • %appdata%\­svchost.exe
  • %windir%\­svchost.exe
  • %appdata%\­explorer.exe
  • %systemx86%\­explorer.exe
Executable file infection

The virus infects executables accesed by

  • explorer.exe

. If a folder name matches one of the following strings, files inside it are not infected:

  • %windir%\­
  • C:\­Program Files\­

The virus infects files with the following extensions:

  • .exe

The virus infects the files by inserting its code at the beginning of the original program.

When an infected file is executed, the original file is also run.

Information stealing

The virus is able to log keystrokes.

The virus collects the following information:

  • data from the clipboard
  • computer name
  • user name

The collected information is stored in the following files:

  • %systemx86%\­lgsys.lgn
  • %systemx86%\­%variable%.cpn

A string with variable content is used instead of %variable% .

The virus attempts to send gathered information to a remote machine.

The virus sends the information via e-mail. The SMTP protocol is used.

Other information

The virus acquires data and commands from a remote computer or the Internet.

The virus contains a list of (5) URLs. The HTTPS protocol is used.

It can execute the following operations:

  • download files from a remote computer and/or the Internet
  • run executable files
  • update itself to a newer version

The virus searches for the following folders:

  • %appdata%\­Mozilla\­Firefox\­Profiles\­
  • %localappdata%\­Mozilla\­Firefox\­Profiles\­
  • %appdata%\­Opera Software\­Opera Stable\­
  • %localappdata%\­Opera Software\­Opera Stable\­
  • %appdata%\­Apple Computer\­Preferences\­
  • %appdata%\­Google\­Chrome\­User Data\­Default\­
  • %localappdata%\­Google\­Chrome\­User Data\­Default\­
  • %appdata%\­CocCoc\­Browser\­User Data\­Default\­
  • %localappdata%\­CocCoc\­Browser\­User Data\­Default\­

Only files which contain one of the following strings are searched:

  • signons.sqlite
  • formhistory.sqlite
  • cookies.sqlite
  • logins.json
  • Web Data
  • Web Data-journal
  • Login Data
  • Login Data-journal
  • Cookies
  • Cookies-journal
  • Current Session
  • Current Tabs
  • History
  • History Provider Cache
  • History-journal
  • keychain.plist

The virus then deletes the found files.

The virus may delete the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "Microsoft Windows"
    • "Host Process for Windows Services"
    • "WinDefend"

Please enable Javascript to ensure correct displaying of this content and refresh this page.