Win32/Delf.NGY [Threat Name] go to Threat

Win32/Delf.NGY [Threat Variant Name]

Category worm
Size 17920 B
Aliases Backdoor.Win32.DcBot.b (Kaspersky)
  Trojan:Win32/Aegrus (Microsoft)
  Trojan.Horse (Symantec)
Short description

Win32/Delf.NGY is a worm that spreads via IM networks. The file is run-time compressed using UPX .


When executed, the worm copies itself into the following location:

  • %windir%\­yahoodc.exe (17920 B)

The worm creates the following file:

  • %system%\­yahoodc.dll (20480 B)

In order to be executed on every system start, the worm sets the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "System" = "%windir%\­yahoodc.exe"
    • "YahooSMsg" = "%windir%\­yahoodc.exe"
Spreading via IM networks

The worm sends links to Yahoo Messenger users.

The message contains a link to a file with the following name:

  • DSC000%random%.pif

The %random% represents a random number.

If the link is clicked a copy of the worm is retrieved from the attacking machine.

Some examples follow.

Other information

The worm contains an URL address.

It tries to download a file from the address.

The file is stored in the following location:

  • %temp%\­dc.exe

The HTTP protocol is used.

The file is then executed.

Please enable Javascript to ensure correct displaying of this content and refresh this page.