Win32/Delf.RLQ [Threat Name] go to Threat

Win32/Delf.RLQ [Threat Variant Name]

Category trojan
Size 616960 B
Aliases Delf.AMLA.trojan (AVG)
Short description

Win32/Delf.RLQ is a trojan which tries to download other malware from the Internet. The trojan is usually a part of other malware.


When executed, the trojan copies itself into the following location:

  • %systemroot%\­System32\­pncrt.dll

The trojan creates the following folders:

  • %systemroot%\­System32\­Wbem\­LogsWork\­

The trojan creates the following files:

  • %systemroot%\­System32\­Wbem\­csvgad.xsl
  • %systemroot%\­System32\­Wbem\­cscdll.dll (49152 B)
  • %systemroot%\­System32\­cscdll.dll (99840 B)

The following Registry entries are set:

  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Control\­Session Manager\­Environment]
    • "Path" = "%originalvalue%;%systemroot%\­System32\­Wbem"
  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows NT\­CurrentVersion\­Winlogon\­Notify\­cscdll]
    • "DllName" = "cscdll.dll"
    • "Asynchronous" = 1
    • "Impersonate" = 0
    • "Startup" = "WinlogonStartupEvent"

This causes the trojan to be executed on every system start.

Other information

The trojan acquires data and commands from a remote computer or the Internet.

The trojan contains a list of (7) URLs. The HTTP protocol is used.

The trojan checks for Internet connectivity by trying to connect to the following servers:


The trojan tries to download several files from the Internet.

The files are then executed.

The files are saved into the following folder:

  • %SystemRoot%\­System32\­Wbem\­LogsWork\­

The trojan hooks the following Windows APIs:

  • WlxShutdown (msgina.dll)

Please enable Javascript to ensure correct displaying of this content and refresh this page.