Win32/Delf.NDF [Threat Name] go to Threat

Win32/Delf.NDF [Threat Variant Name]

Category worm
Size 27409 B
Detection created Aug 01, 2006
Detection database version 10314
Aliases Worm.Win32.AutoRun.tl (Kaspersky)
  Win32.HLLW.Autoruner.1890 (Dr.Web)
  Worm:Win32/Mocmex.gen!A (Microsoft)
  W32.SillyFDC (Symantec)
Short description

Win32/Delf.NDF is a worm which tries to download other malware from the Internet. It is able to spread via removable media. The file is run-time compressed using FSG .

Installation

When executed the worm copies itself in the following locations:

  • %programfiles%\­Common Files\­System\­oimfnfy.exe
  • %programfiles%\­Common Files\­Microsoft Shared\­btisawq.exe

The files are then executed.


In order to be executed on every system start, the worm sets the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "gkqmrxa" = "%programfiles%\­Common Files\­Microsoft Shared\­btisawq.exe"
  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "qmfqqtb" = "%programfiles%\­Common Files\­System\­oimfnfy.exe"

The following Registry entries are set:

  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­SharedAccess]
    • "Start" = 4
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­helpsvc]
    • "Start" = 4
  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­CurrentVersion\­Explorer\­Advanced\­Folder\­Hidden\­ShowAll]
    • "CheckedValue" = 0
  • [HKEY_USERS\­S-1-5-21-1409082233-115176313-682003330-1003\­Software\­Microsoft\­Windows\­CurrentVersion\­Explorer\­Advanced]
    • "Hidden" = 2
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Policies\­Explorer]
    • "NoDriveTypeAutoRun" = 145
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­wscsvc]
    • "Start" = 4
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­wuauserv]
    • "Start" = 4
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­RSPPSYS]
    • "Start" = 4
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­ControlSet001\­Services\­wscsvc]
    • "Start" = 4
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­ControlSet001\­Services\­wuauserv]
    • "Start" = 4

The following Registry entries are created:

  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­%filename%]
    • "Debugger" "%programfiles%\­Common Files\­Microsoft Shared\­btisawq.exe"

Instead of %filename% following strings are used:

  • Ras.exe
  • avp.com
  • avp.exe
  • runiep.exe
  • PFW.exe
  • FYFireWall.exe
  • rfwmain.exe
  • rfwsrv.exe
  • KAVPF.exe
  • KPFW32.exe
  • nod32kui.exe
  • nod32.exe
  • Navapsvc.exe
  • Navapw32.exe
  • avconsol.exe
  • webscanx.exe
  • NPFMntor.exe
  • vsstat.exe
  • KPfwSvc.exe
  • RavTask.exe
  • Rav.exe
  • RavMon.exe
  • mmsk.exe
  • WoptiClean.exe
  • QQKav.exe
  • QQDoctor.exe
  • EGHOST.exe
  • 360Safe.exe
  • iparmo.exe
  • adam.exe
  • IceSword.exe
  • 360rpt.exe
  • 360tray.exe
  • AgentSvr.exe
  • AppSvc32.exe
  • autoruns.exe
  • avgrssvc.exe
  • AvMonitor.exe
  • CCenter.exe
  • ccSvcHst.exe
  • FileDsty.exe
  • FTCleanerShell.exe
  • HijackThis.exe
  • Iparmor.exe
  • isPwdSvc.exe
  • kabaload.exe
  • KaScrScn.SCR
  • KASMain.exe
  • KASTask.exe
  • KAV32.exe
  • KAVDX.exe
  • KAVPFW.exe
  • KAVSetup.exe
  • KAVStart.exe
  • KISLnchr.exe
  • KMailMon.exe
  • KMFilter.exe
  • KPFW32.exe
  • KPFW32X.exe
  • KPFWSvc.exe
  • KRegEx.exe
  • KRepair.com
  • KsLoader.exe
  • KVCenter.kxp
  • KvDetect.exe
  • KvfwMcl.exe
  • KVMonXP.kxp
  • KVMonXP_1.kxp
  • kvol.exe
  • kvolself.exe
  • KvReport.kxp
  • KVScan.kxp
  • KVSrvXP.exe
  • KVStub.kxp
  • kvupload.exe
  • kvwsc.exe
  • KvXP.kxp
  • KvXP_1.kxp
  • KWatch.exe
  • KWatch9x.exe
  • KWatchX.exe
  • loaddll.exe
  • MagicSet.exe
  • mcconsol.exe
  • mmqczj.exe
  • nod32krn.exe
  • PFWLiveUpdate.exe
  • QHSET.exe
  • RavMonD.exe
  • RavStub.exe
  • RegClean.exe
  • rfwcfg.exe
  • RfwMain.exe
  • rfwsrv.exe
  • RsAgent.exe
  • Rsaupd.exe
  • safelive.exe
  • scan32.exe
  • shcfg32.exe
  • SmartUp.exe
  • SREng.EXE
  • symlcsvc.exe
  • SysSafe.exe
  • TrojanDetector.exe
  • Trojanwall.exe
  • TrojDie.kxp
  • UIHost.exe
  • UmxAgent.exe
  • UmxAttachment.exe
  • UmxCfg.exe
  • UmxFwHlp.exe
  • UmxPol.exe
  • UpLive.exe
  • upiea.exe
  • AST.exe
  • ArSwp.exe
  • USBCleaner.exe
  • rstrui.exe
  • QQLiveUpdate.exe
  • QQUpdateCenter.exe
  • Timwp.exe

The worm moves the following files (source, destination):

  • %programfiles%\­Internet Explorer\­PLUGINS\­SysWin64.Tao, %programfiles%\­Internet Explorer\­PLUGINS\­%randomfilename%.2
  • %programfiles%\­Internet Explorer\­PLUGINS\­SysWin64.Sys, %programfiles%\­Internet Explorer\­PLUGINS\­%randomfilename%.1
  • %programfiles%\­Internet Explorer\­PLUGINS\­SysWin64.Jmp, %programfiles%\­Internet Explorer\­PLUGINS\­%randomfilename%
  • %programfiles%\­Internet Explorer\­msvcrt.dll, %programfiles%\­Internet Explorer\­%randomfilename%
  • %programfiles%\­Common Files\­Relive.dll, %programfiles%\­Common Files\­%randomfilename%.1
  • %programfiles%\­Common Files\­svchost.cnc, %programfiles%\­Common Files\­%randomfilename%
  • %windir%\­tools\­explorer.exe, %windir%\­tools\­%randomfilename%
  • %windir%\­Debug\­debug.exe, %windir%\­Debug\­%randomfilename%
  • %windir%\­System32\­Com\­smss.exe, %windir%\­System32\­Com\­%randomfilename%.1
  • %windir%\­System32\­IME\­svchost.exe, %windir%\­System32\­IME\­%randomfilename%
  • %windir%\­System32\­Com\­lsass.exe, %windir%\­System32\­Com\­%randomfilename%
  • %windir%\­Web\­css.css, %windir%\­Web\­%randomfilename%
  • %windir%\­System32\­internt.exe, %windir%\­System32\­%randomfilename%.2
  • %windir%\­System32\­progmon.exe, %windir%\­System32\­%randomfilename%.1
  • %windir%\­System32\­directx.exe, %windir%\­System32\­%randomfilename%.5
  • %windir%\­System32\­crsss.exe, %windir%\­System32\­%randomfilename%.6
  • %windir%\­System32\­Shell.pci, %windir%\­System32\­%randomfilename%.4
  • %windir%\­System32\­Shell.exe, %windir%\­System32\­%randomfilename%.3
  • %windir%\­System32\­wniapsvr.exe, %windir%\­System32\­%randomfilename%
  • %windir%\­System32\­bsmain.exe, %windir%\­System32\­bsmains.exe
  • %windir%\­System32\­verclsid.exe, %windir%\­System32\­verclsids.exe

A string with variable content is used instead of %randomfilename% .


The following Registry entries are deleted:

  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "AVP"
  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­CurrentVersion\­Explorer\­Advanced\­Folder\­Hidden\­ShowAll]
    • "CheckedValue"
  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­oimfnfy.exe]
  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­btisawq.exe]
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­ControlSet001\­Control\­SafeBoot\­Minimal\­{4D36E967-E325-11CE-BFC1-08002BE10318}]
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­ControlSet001\­Control\­SafeBoot\­Network\­{4D36E967-E325-11CE-BFC1-08002BE10318}]
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Control\­SafeBoot\­Minimal\­{4D36E967-E325-11CE-BFC1-08002BE10318}]
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Control\­SafeBoot\­Network\­{4D36E967-E325-11CE-BFC1-08002BE10318}]
Spreading on removable media

Win32/Delf.NDF is a worm that spreads via removable media.


The worm copies itself to the following location:

  • %drive%\­qmfqqtb.exe

The following file is dropped in the same folder:

  • autorun.inf

The AUTORUN.INF file contains the path to the malware executable.


Thus, the worm ensures it is started each time infected media is inserted into the computer.

Other information

The following services are disabled:

  • wscsvc
  • helpsvc
  • wuauserv
  • SharedAccess

The following programs are terminated:

  • Ras.exe
  • avp.com
  • avp.exe
  • runiep.exe
  • PFW.exe
  • FYFireWall.exe
  • rfwmain.exe
  • rfwsrv.exe
  • KAVPF.exe
  • KPFW32.exe
  • nod32kui.exe
  • nod32.exe
  • Navapsvc.exe
  • Navapw32.exe
  • avconsol.exe
  • webscanx.exe
  • NPFMntor.exe
  • vsstat.exe
  • KPfwSvc.exe
  • RavTask.exe
  • Rav.exe
  • RavMon.exe
  • mmsk.exe
  • WoptiClean.exe
  • QQKav.exe
  • QQDoctor.exe
  • EGHOST.exe
  • 360Safe.exe
  • iparmo.exe
  • adam.exe
  • IceSword.exe
  • 360rpt.exe
  • 360tray.exe
  • AgentSvr.exe
  • AppSvc32.exe
  • autoruns.exe
  • avgrssvc.exe
  • AvMonitor.exe
  • CCenter.exe
  • ccSvcHst.exe
  • FileDsty.exe
  • FTCleanerShell.exe
  • HijackThis.exe
  • Iparmor.exe
  • isPwdSvc.exe
  • kabaload.exe
  • KaScrScn.SCR
  • KASMain.exe
  • KASTask.exe
  • KAV32.exe
  • KAVDX.exe
  • KAVPFW.exe
  • KAVSetup.exe
  • KAVStart.exe
  • KISLnchr.exe
  • KMailMon.exe
  • KMFilter.exe
  • KPFW32.exe
  • KPFW32X.exe
  • KPFWSvc.exe
  • KRegEx.exe
  • KRepair.com
  • KsLoader.exe
  • KVCenter.kxp
  • KvDetect.exe
  • KvfwMcl.exe
  • KVMonXP.kxp
  • KVMonXP_1.kxp
  • kvol.exe
  • kvolself.exe
  • KvReport.kxp
  • KVScan.kxp
  • KVSrvXP.exe
  • KVStub.kxp
  • kvupload.exe
  • kvwsc.exe
  • KvXP.kxp
  • KvXP_1.kxp
  • KWatch.exe
  • KWatch9x.exe
  • KWatchX.exe
  • loaddll.exe
  • MagicSet.exe
  • mcconsol.exe
  • mmqczj.exe
  • nod32krn.exe
  • PFWLiveUpdate.exe
  • QHSET.exe
  • RavMonD.exe
  • RavStub.exe
  • RegClean.exe
  • rfwcfg.exe
  • RfwMain.exe
  • rfwsrv.exe
  • RsAgent.exe
  • Rsaupd.exe
  • safelive.exe
  • scan32.exe
  • shcfg32.exe
  • SmartUp.exe
  • SREng.EXE
  • symlcsvc.exe
  • SysSafe.exe
  • TrojanDetector.exe
  • Trojanwall.exe
  • TrojDie.kxp
  • UIHost.exe
  • UmxAgent.exe
  • UmxAttachment.exe
  • UmxCfg.exe
  • UmxFwHlp.exe
  • UmxPol.exe
  • UpLive.exe
  • upiea.exe
  • AST.exe
  • ArSwp.exe
  • USBCleaner.exe
  • rstrui.exe
  • QQLiveUpdate.exe
  • QQUpdateCenter.exe
  • Timwp.exe

The worm terminates any program that creates a window containing any of the following strings in its name:

  • :\­- WinRAR
  • System
  • Microsoft Shared
  • 2007
  • Process
  • Virus
  • Trojan
  • Sysinternals
  • meex
  • autorun
  • gkqmrxa
  • qmfqqtb
  • oimfnfy
  • btisawq

The worm contains a list of URLs.


It tries to download several files from the addresses.


The files are then executed. The HTTP protocol is used in the communication.


The worm may create the following files:

  • %programfiles%\­Common Files\­System\­gkqmrxa.inf
  • %programfiles%\­meex.exe
  • %programfiles%\­1Alsass.exe
  • %programfiles%\­2Bz.exe
  • %programfiles%\­1.hiv
  • %programfiles%\­2.hiv
  • %programfiles%\­3.hiv
  • %programfiles%\­4.hiv
  • %programfiles%\­sonew.txt
  • %programfiles%\­newso.txt
  • %windir%\­System32\­net.exe
  • %windir%\­System32\­sexit.exe

Please enable Javascript to ensure correct displaying of this content and refresh this page.