Win32/Delf.NQM [Threat Name] go to Threat

Win32/Delf.NQM [Threat Variant Name]

Category worm
Size 428032 B
Aliases Heur.Worm.Generic (Kaspersky)
  W32/Trojan-Gypikon-based.DM2!Maximus (F-Prot)
  Trojan.Siggen.21931 (Dr.Web)
Short description

Win32/Delf.NQM is a worm that spreads by copying itself into certain folders.

Installation

The worm attempts to delete the following files:

  • %systemdrive%\­WINDOWS\­system32\­spoolsv.exe
  • %systemdrive%\­WINDOWS\­system32\­taskmgr.exe
  • %systemdrive%\­WINDOWS\­pchealth\­helpctr\­binaries\­msconfig.exe
  • %systemdrive%\­WINDOWS\­regedit.exe
  • %systemdrive%\­WINDOWS\­system32\­CProcess.exe
  • %systemdrive%\­WINDOWS\­system32\­autoruns.exe

The worm copies itself to the following locations:

  • %systemdrive%\­WINDOWS\­system32\­sys32\­smss.exe
  • %systemdrive%\­WINDOWS\­Web\­Wallpaper\­csrss.exe
  • C:\­WINDOWS\­system32\­taskmgr.exe
  • D:\­WINDOWS\­system32\­taskmgr.exe
  • C:\­WINDOWS\­pchealth\­helpctr\­binaries\­msconfig.exe
  • D:\­WINDOWS\­pchealth\­helpctr\­binaries\­msconfig.exe
  • C:\­WINDOWS\­regedit.exe
  • D:\­WINDOWS\­regedit.exe
  • D:\­WINDOWS\­system32\­spoolsv.exe
  • %personal%\­Mes images\­Costantine.Jpg.exe
  • %personal%\­Mes images\­SuperPhoto.Jpg.exe
  • %personal%\­Skofilde.Jpg.exe
  • %personal%\­PrisonBreak.Jpg.exe
  • %personal%\­Photo.Jpg.exe
  • C:\­mePhoto.Jpg.exe
  • C:\­Photo.Jpg.exe
  • D:\­AlgĂ©rie.Jpg.exe
  • E:\­ZinneDineZidane.Jpg.exe
  • F:\­SuperPhotoAlgerie.Jpg.exe
  • G:\­Photo.Jpg.exe
  • H:\­Constantine1880.Jpg.exe
  • I:\­Constantine1852.Jpg.exe
  • K:\­PhotoAlbom.Jpg.exe

In order to be executed on every system start, the worm sets the following Registry entries:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "%systemdrive%\­WINDOWS\­system32\­sys32\­smss.exe" = "%systemdrive%\­WINDOWS\­system32\­sys32\­smss.exe"
    • "%systemdrive%\­WINDOWS\­Web\­Wallpaper\­csrss.exe" = "%systemdrive%\­WINDOWS\­Web\­Wallpaper\­csrss.exe"

The following Registry entries are created:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Policies\­System]
    • "DisableTaskMgr" = 1
Other information

The worm can trigger unexpected keyboard and/or mouse behavior.


The worm may open the CD/DVD drive.

Please enable Javascript to ensure correct displaying of this content and refresh this page.