Selected viruses, spyware, and other threats: sorted alphabetically

O
P
Q
R
S
T
U
V
W
X
Y
Z
Glossary

Win32/AutoRun.Delf.HH

Aliases:	Trojan.Win32.Scar.cmjf (Kaspersky), Win32:Rootkit-gen (Avast), Trojan.Gen (Symantec)
Type of infiltration:	Worm
Size:	558080 B
Affected platforms:	Microsoft Windows
Signature database version:	5265 (20100709)

Short description

Win32/AutoRun.Delf.HH is a worm that spreads via removable media. The worm can download and execute a file from the Internet.

Installation

When executed, the worm copies itself into the following location:

%windir%SysRegSrvc.exe (558080 B)

In order to be executed on every system start, the worm sets the following Registry entry:

[HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersion
Run]
"MSkip" = "%windir%SysRegSrvc.exe"

The following Registry entries are set:

[HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersion
ExplorerAdvanced]
"SuperHidden" = 0
"ShowSuperHidden" = 0

Spreading on removable media

The worm copies itself into the root folders of removable drives using the following filename:

Start.exe

The following file is dropped in the same folder:

autorun.inf

Thus, the worm ensures it is started each time infected media is inserted into the computer.

Information stealing

The worm collects the following information:

computer name
user name
CPU information

The worm attempts to send gathered information to a remote machine.

Other information

The worm restarts the operating system if there is a window with any of the following strings in the name:

The Wireshark Network Analyzer

The worm acquires data and commands from a remote computer or the Internet.

The worm contains a list of (2) URLs. The HTTP protocol is used.

The worm can download and execute a file from the Internet.