Win32/Delf.NGW [Threat Name] go to Threat

Win32/Delf.NGW [Threat Variant Name]

Category trojan,worm
Size 33792 B
Aliases Trojan-Proxy.Win32.Delf.dy (Kaspersky)
  Backdoor.Trojan (Symantec)
  Generic.Downloader.ab.trojan (McAfee)
Short description

Win32/Delf.NGW installs a backdoor that can be controlled remotely. The file is run-time compressed using PECompact .


When executed the trojan copies itself in the following locations:

  • %windir%\­msiutil.exe
  • %windir%\­system\­lprhelp32.dll
  • c:\­gameload.dll

The trojan creates the following files:

  • %windir%\­kbdfi32.dll (26624 B)
  • c:\­ali.html (0 B)

In order to be executed on every system start, the trojan sets the following Registry entry:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "Microsoft Windows Visual V2.0" = "%windir%\­msiutil.exe"

The following Registry entries are created:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Active Setup\­Installed Components\­Microsoft Windows Visual V2.0]
    • "StubPath" = "%windir%\­msiutil.exe"
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion]
    • "Microsoft Windows Visual V2.0" = "%garbage_string%"

The trojan runs the default Internet browser.

The trojan loads and injects the %windir%\kbdfi32.dll library into the following processes:

  • %default_internet_browser%
Other information

The trojan acquires data and commands from a remote computer or the Internet.

The trojan contains a list of (6) URLs. It tries to download a file from the addresses. The HTTP protocol is used.

The file is stored into the following folder:

  • %windir%

The following filename is used:

  • stclient.ini

It can execute the following operations:

  • download files from a remote computer and/or the Internet
  • run executable files
  • terminate running processes
  • delete cookies

It can send various information about the infected computer to an attacker.

The following information is collected:

  • user name
  • operating system version
  • malware version

Please enable Javascript to ensure correct displaying of this content and refresh this page.