Win32/Delf.NZL [Threat Name] go to Threat
Win32/Delf.NZL [Threat Variant Name]
| Category | trojan |
| Size | 194560 B |
| Aliases | Trojan:Win32/Delf.EO (Microsoft) |
| Adclicker-GV.trojan (McAfee) | |
| Trojan.Horse (Symantec) |
Short description
Win32/Delf.NZL is a trojan which tries to promote certain web sites. The file is run-time compressed using UPX .
Installation
When executed, the trojan copies itself into the following location:
- %windir%\dhcp\svchost.exe
The trojan registers itself as a system service using the following name:
- DhcpSrv
This causes the trojan to be executed on every system start.
The following Registry entries are set:
- [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DhcpSrv]
- "Description" = "Manages network configuration by registering and updating IP addresses Services and DNS names services."
- "Type" = 272
- "Start" = 2
- "ErrorControl" = 1
- "ImagePath" = "%windir%\dhcp\svchost.exe"
- "DisplayName" = "Dhcp server"
- "ObjectName" = "LocalSystem"
- [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DhcpSrv\Security]
- "Security" = %hexvalue%
- [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DhcpSrv\Enum]
- "0" = "Root\LEGACY_DHCPSRV\0000"
- "Count" = 1
- "NextInstance" = 1
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]
- "1601" = 0
Other information
Win32/Delf.NZL is a trojan which tries to promote certain web sites.
The trojan acquires data and commands from a remote computer or the Internet.
The trojan contains a URL address. The HTTP protocol is used.
It can execute the following operations:
- open a specific URL address
- redirect network traffic
The trojan can modify the following file:
- %system%\drivers\etc\hosts