Win32/Delf.Z [Threat Name] go to Threat

Win32/Delf.Z [Threat Variant Name]

Category virus,worm
Aliases Email-Worm.Win32.Delf.z (Kaspersky)
Short description

Win32/Delf.Z is a worm that spreads via e-mail and shared folders. The file is run-time compressed using UPX .


When executed, the worm copies itself into the %system% folder using the following name:

  • msnmsg.exe

The following file is dropped in the same folder:

  • svchost.dll

Size of the file is approximately 22 kB .

In order to be executed on every system start, the worm sets the following Registry entry:

  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "msnmsg" = "%system%\­msnmsg.exe"
Spreading via e-mail

E-mail addresses for further spreading are searched for in local files with one of the following extensions:

  • doc
  • htm
  • html
  • txt
  • vbs

Addresses containing the following strings are avoided:

  • @addres
  • @antivi
  • @avp
  • @bitdefender
  • @f-pro
  • @f-secur
  • @fbi
  • @freeav
  • @kaspersky
  • @mcafee
  • @messagel
  • @microsof
  • @norman
  • @norton
  • @pandasof
  • @sophos
  • @spam
  • @symantec
  • @viruslis
  • abuse@
  • noreply@
  • ntivir
  • reports@
  • spam
  • spam@
  • user@

Subject of the message is the following:

  • Audio-message

The attachment is an executable of the worm.

Its filename is the following:

  • audio_001.mp3.exe
Spreading via shared folders

The worm searches for computers in the local network.

It tries co copy itself into the root folder of the C: drive on a remote machine using the following name:

  • msnmsg.exe

It may also make changes to the following file in the same folder:

  • AutoExec.bat

This causes the worm to be executed on every system start.

Other information

The worm is able to log keystrokes.

The dropped DLL file is responsible for this.

The worm can send the information to a remote machine. The FTP protocol is used.

Please enable Javascript to ensure correct displaying of this content and refresh this page.