Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Short description
Win32/Delf.NGW installs a backdoor that can be controlled remotely. The file is run-time compressed using PECompact .
Installation
When executed the trojan copies itself in the following locations:
  • %windir%\msiutil.exe
  • %windir%\system\lprhelp32.dll
  • c:\gameload.dll
The trojan creates the following files:
  • %windir%\kbdfi32.dll (26624 B)
  • c:\ali.html (0 B)
In order to be executed on every system start, the trojan sets the following Registry entry:
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
    Run]
    "Microsoft Windows Visual V2.0" = "%windir%\msiutil.exe"
The following Registry entries are created:
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed
    Components\Microsoft Windows Visual V2.0]
    "StubPath" = "%windir%\msiutil.exe"
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion]
    "Microsoft Windows Visual V2.0" = "%garbage_string%"
The trojan runs the default Internet browser.

The trojan loads and injects the %windir%\kbdfi32.dll library into the following processes:
  • %default_internet_browser%
Other information
The backdoor is sent data and commands from a remote computer or the Internet. The backdoor contains a list of (6) URLs.

It tries to download a file from the addresses. The HTTP protocol is used. The file is stored into the following folder:
  • %windir%
If successful the following filename is used:
  • stclient.ini
It can execute the following operations:
  • download files from a remote computer and/or Internet
  • run executable files
  • terminate running processes
  • delete files
It can send various information about the infected computer to an attacker. The following information is collected:
  • user name
  • operating system version
  • malware version