Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Win32/AutoRun.Delf.CJ

Aliases:Trojan.Win32.Sasfis.tq (Kaspersky), Trojan:Win32/Ircbrute (Microsoft), W32.Spybot.Worm (Symantec) 
Type of infiltration:Worm  
Size:1936384 B 
Affected platforms:Microsoft Windows 
Signature database version:4160 (20090616) 

Short description

Win32/AutoRun.Delf.CJ is a worm that spreads by copying itself into the root folders of available drives. The worm contains a backdoor. It can be controlled remotely.

Installation

When executed, the worm copies itself in some of the the following locations:
  • %programfiles%Internet Explorersvchost.exe
  • %profile%svchost.exe
The worm may set the following Registry entries:
  • [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersion
    Run]
    "svchost" = "%programfiles%Internet Explorersvchost.exe"
The worm may execute the following commands:
  • %system%schtasks.exe /Create /SC ONLOGON /TR "%profile%svchost.exe" /TN svchost /RL HIGHEST
  • %system%schtasks.exe /RUN /TN "svchost"
This causes the worm to be executed on every system start.

The worm runs the following process:
  • %programfiles%Internet Exploreriexplore.exe
The worm creates and runs a new thread with its own program code within the following processes:
  • iexplore.exe

Spreading

Win32/AutoRun.Delf.CJ is a worm that spreads by copying itself into the root folders of available drives.

The following filename is used:
  • Run.exe
The following file is dropped in the same folder:
  • autorun.inf
Thus, the worm ensures it is started each time infected media is inserted into the computer.

Other information

The worm may create the following files:
  • %programfiles%Internet Exploreriesettings.ceb
The worm acquires data and commands from a remote computer or the Internet.

The worm contains a list of addresses. The HTTP, IRC protocol is used.

It can execute the following operations:
  • download files from a remote computer and/or the Internet
  • run executable files
  • perform DoS/DDoS attacks
  • terminate running processes
  • open a specific URL address
The following information is collected:
  • operating system version
The worm collects information related to the following applications:
  • ICQ
  • Internet Explorer
  • Mozilla Firefox
The worm can send the information to a remote machine.