Win32/Delf.NZL [Threat Name] go to Threat
Win32/Delf.NZL [Threat Variant Name]
|Detection created||Feb 13, 2009|
|Signature database version||8634|
Win32/Delf.NZL is a trojan which tries to promote certain web sites. The file is run-time compressed using UPX .
When executed, the trojan copies itself into the following location:
The trojan registers itself as a system service using the following name:
This causes the trojan to be executed on every system start.
The following Registry entries are set:
- "Description" = "Manages network configuration by registering and updating IP addresses Services and DNS names services."
- "Type" = 272
- "Start" = 2
- "ErrorControl" = 1
- "ImagePath" = "%windir%\dhcp\svchost.exe"
- "DisplayName" = "Dhcp server"
- "ObjectName" = "LocalSystem"
- "Security" = %hexvalue%
- "0" = "Root\LEGACY_DHCPSRV\0000"
- "Count" = 1
- "NextInstance" = 1
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]
- "1601" = 0
Win32/Delf.NZL is a trojan which tries to promote certain web sites.
The trojan acquires data and commands from a remote computer or the Internet.
The trojan contains a URL address. The HTTP protocol is used.
It can execute the following operations:
- open a specific URL address
- redirect network traffic
The trojan can modify the following file: