Win32/AutoRun.Delf.CJ [Threat Name] go to Threat

Win32/AutoRun.Delf.CJ [Threat Variant Name]

Category worm
Size 1936384 B
Aliases Trojan.Win32.Sasfis.tq (Kaspersky)
  Trojan:Win32/Ircbrute (Microsoft)
  W32.Spybot.Worm (Symantec)
Short description

Win32/AutoRun.Delf.CJ is a worm that spreads by copying itself into the root folders of available drives. The worm contains a backdoor. It can be controlled remotely.

Installation

When executed, the worm copies itself in some of the the following locations:

  • %programfiles%\­Internet Explorer\­svchost.exe
  • %profile%\­svchost.exe

The worm may set the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "svchost" = "%programfiles%\­Internet Explorer\­svchost.exe"

The worm may execute the following commands:

  • %system%\­schtasks.exe /Create /SC ONLOGON /TR "%profile%\­svchost.exe" /TN svchost /RL HIGHEST
  • %system%\­schtasks.exe /RUN /TN "svchost"

This causes the worm to be executed on every system start.


The worm runs the following process:

  • %programfiles%\­Internet Explorer\­iexplore.exe

The worm creates and runs a new thread with its own program code within the following processes:

  • iexplore.exe
Spreading

Win32/AutoRun.Delf.CJ is a worm that spreads by copying itself into the root folders of available drives.


The following filename is used:

  • Run.exe

The following file is dropped in the same folder:

  • autorun.inf

Thus, the worm ensures it is started each time infected media is inserted into the computer.

Other information

The worm may create the following files:

  • %programfiles%\­Internet Explorer\­iesettings.ceb

The worm acquires data and commands from a remote computer or the Internet.


The worm contains a list of addresses. The HTTP, IRC protocol is used.


It can execute the following operations:

  • download files from a remote computer and/or the Internet
  • run executable files
  • perform DoS/DDoS attacks
  • terminate running processes
  • open a specific URL address

The following information is collected:

  • operating system version

The worm collects information related to the following applications:

  • ICQ
  • Internet Explorer
  • Mozilla Firefox

The worm can send the information to a remote machine.

Please enable Javascript to ensure correct displaying of this content and refresh this page.