Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Short description
Win32/AutoRun.Delf.CB is a worm that spreads by copying itself into the root folders of available drives.
Installation
When executed the worm copies itself in the following locations:
  • %windir%\Help\svcnost.exe
  • %commonstartup%\startup1.exe
In order to be executed on every system start, the worm sets the following Registry entry:
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
    Run]
    "sdll32" = "%windir%\Help\svcnost.exe"
The following Registry entries are created:
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
    Explorer\Advanced]
    "ShowSuperHidden" = 0
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
    Policies\Explorer]
    "NoFolderOptions" = 1
    "NoFind" = 1
    "NoRun" = 1
The following Registry entries are set:
  • [HKEY_CURRENT_USER\Control Panel\Desktop]
    "ScreenSaveTimeOut" = 2
    "SCRNSAVE.EXE" = "%system%\ssmarque.scr"
  • [HKEY_CURRENT_USER\Control Panel\Screen Saver.Marquee]
Spreading
Win32/AutoRun.Delf.CB is a worm that spreads by copying itself into the root folders of available drives.

The following filenames are used:
  • autorun.exe
  • INSTALL.exe
  • MY DOCUMENTS.exe
  • SEX.exe
  • VM13.exe
  • Zurag.exe
The following file is dropped in the same folder:
  • autorun.inf
Thus, the worm ensures it is started each time infected media is inserted into the computer.
Other information
The worm displays the following dialog box:
The following programs are terminated:
  • cmd.exe
  • Excel.exe
  • mmc.exe
  • Msconfig.exe
  • notepad.exe
The worm may open the CD/DVD drive.

The worm creates the following files:
  • %system%\RDOCURS.inf
  • c:\res.bat