Win32/Delf.SUZ [Threat Name] go to Threat

Win32/Delf.SUZ [Threat Variant Name]

Category trojan
Size 948224 B
Detection created Mar 26, 2015
Signature database version 11687
Short description

Win32/Delf.SUZ is a trojan which tries to download other malware from the Internet.

Installation

The trojan copies itself to the following location:

  • %appdata%\­winntcrytserv.exe

The trojan may create the following files:

  • %appdata%\­winntcrytserv.exe.%number%

The variable %number% represents a number in the range 0 - 99999 .


The trojan registers itself as a system service.


This causes the trojan to be executed on every system start.


The following Registry entries are created:

  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­services\­eventlog\­Application\­winntcrytserv]
    • "EventMessageFile" = "%appdata%\­winntcrytserv.exe"
    • "TypesSupported" = 7
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­services\­winntcrytserv]
    • "Description" = "NT Cryticals Services"
    • "DisplayName" = "winntcrytserv"
    • "ErrorControl" = 1
    • "FailureActions" = "0A00000001000000010000000100000014000000010000000A000000"
    • "ImagePath" = "%appdata%\­winntcrytserv.exe"
    • "ObjectName" = LocalSystem
    • "Start" = 2
    • "Type" = 16
Information stealing

The trojan collects the following information:

  • volume serial number

The trojan attempts to send gathered information to a remote machine.

Other information

The trojan acquires data and commands from a remote computer or the Internet.


The trojan contains a URL address. The HTTP protocol is used in the communication.


It tries to download and execute the other part of the infiltration from the address.

Please enable Javascript to ensure correct displaying of this content and refresh this page.