Win32/Delf.NZL [Threat Name] go to Threat

Win32/Delf.NZL [Threat Variant Name]

Category trojan
Size 194560 B
Detection created Feb 13, 2009
Signature database version 8634
Aliases Trojan:Win32/Delf.EO (Microsoft)
  Adclicker-GV.trojan (McAfee)
  Trojan.Horse (Symantec)
Short description

Win32/Delf.NZL is a trojan which tries to promote certain web sites. The file is run-time compressed using UPX .

Installation

When executed, the trojan copies itself into the following location:

  • %windir%\­dhcp\­svchost.exe

The trojan registers itself as a system service using the following name:

  • DhcpSrv

This causes the trojan to be executed on every system start.


The following Registry entries are set:

  • [HKEY_LOCAL_MACHINE\­System\­CurrentControlSet\­Services\­DhcpSrv]
    • "Description" = "Manages network configuration by registering and updating IP addresses Services and DNS names services."
    • "Type" = 272
    • "Start" = 2
    • "ErrorControl" = 1
    • "ImagePath" = "%windir%\­dhcp\­svchost.exe"
    • "DisplayName" = "Dhcp server"
    • "ObjectName" = "LocalSystem"
  • [HKEY_LOCAL_MACHINE\­System\­CurrentControlSet\­Services\­DhcpSrv\­Security]
    • "Security" = %hexvalue%
  • [HKEY_LOCAL_MACHINE\­System\­CurrentControlSet\­Services\­DhcpSrv\­Enum]
    • "0" = "Root\­LEGACY_DHCPSRV\­0000"
    • "Count"  = 1
    • "NextInstance" = 1
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Internet Settings\­Zones\­3]
    • "1601" = 0
Other information

Win32/Delf.NZL is a trojan which tries to promote certain web sites.


The trojan acquires data and commands from a remote computer or the Internet.


The trojan contains a URL address. The HTTP protocol is used.


It can execute the following operations:

  • open a specific URL address
  • redirect network traffic

The trojan can modify the following file:

  • %system%\­drivers\­etc\­hosts

Please enable Javascript to ensure correct displaying of this content and refresh this page.