Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Win32/AutoRun.Delf.EL

Aliases:Packed.Win32.Krap.w (Kaspersky), Worm:Win32/SillyShareCopy.gen (Microsoft), Generic16.AOWX (AVG) 
Type of infiltration:Worm  
Size:175104 B 
Affected platforms:Microsoft Windows 
Signature database version:4742 (20100104) 

Short description

Win32/AutoRun.Delf.EL is a worm that blocks access to the Windows operating system. To regain access to the operating system the user is asked to send an SMS message to a specified telephone number in exchange for a password. The file is run-time compressed using UPX.

Installation

When executed, the worm creates the following files:
  • %temp%%random%.dll (131072 B)
A string with variable content is used instead of %random%.

The worm can create copies of itself as an ADS (Alternative Data Stream) of the following files:
  • %windir%Cursors*.*
  • %windir%Fonts*.*
  • %windir%Help*.*
  • %windir%Inf*.*
  • %windir%system32*.*
  • %windir%system32dllcache*.*
  • %windir%Cursors*.*
  • %windir%Fonts*.*
  • %windir%Help*.*
  • %windir%Inf*.*
  • %windir%system32*.*
  • %windir%system32dllcache*.*
  • %windir%system32wbem*.*
It avoids files with the following extensions:
  • .exe
  • .com
  • .dll
  • .sys
  • .pif
  • .scr
  • .exe
  • .com
  • .dll
  • .sys
  • .pif
  • .scr
  • .bat
The worm executes the following commands:
  • %system%rundll32.exe %windir%temp%random%,Install
  • %system%rundll32.exe %windir%temp%random%,Open
The following Registry entries are created:
  • [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion
    Windows]
    "AppInit_DLLs" = "%filepath%"
The %filepath% is one of the following strings:
  • %windir%Cursors*.*:%variable%
  • %windir%Fonts*.*:%variable%
  • %windir%Help*.*:%variable%
  • %windir%Inf*.*:%variable%
  • %windir%system32*.*:%variable%
  • %windir%system32dllcache*.*:%variable%
  • %windir%Cursors*.*:%variable%
  • %windir%Fonts*.*:%variable%
  • %windir%Help*.*:%variable%
  • %windir%Inf*.*:%variable%
  • %windir%system32*.*:%variable%
  • %windir%system32dllcache*.*:%variable%
  • %windir%system32wbem*.*:%variable%
A string with variable content is used instead of %variable%.

This causes the worm to be executed on every application start.

The following Registry entries are set:
  • [HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindows NT
    SystemRestore]
    "DisableConfig" = 1
    "DisableSR" = 1
  • [HKEY_LOCAL_MACHINESOFTWARETrendMicroHijackThis]
    "Ignore1" = "O20 - AppInit_DLLs: %temp%%random%.dll"
    "IgnoreNum" = 1
  • [HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindows NT
    SystemRestore]
    "DisableConfig" = 1
    "DisableSR" = 1
  • [HKEY_LOCAL_MACHINESOFTWARETrendMicroHijackThis]
    "Ignore1" = "O20 - AppInit_DLLs: %temp%%random%.dll"
    "IgnoreNum" = 1
  • [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersion
    ExplorerAdvanced]
    "ShowSuperHidden" = 0
  • [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersion
    PoliciesSystem]
    "DisableRegistryTools" = 1
    "DisableTaskMgr" = 1

Other information

The worm terminates any program that creates a window containing any of the following strings in its name:
  • 3649
  • 4171
  • 4460
  • Ad-Aware
  • AhnLab
  • antimalvare
  • 3649
  • 4171
  • 4460
  • Ad-Aware
  • AhnLab
  • antimalvare
  • Anti-Malware
  • Antispyware
  • Antivirus
  • AnVir
  • a-squared
  • Auto update
  • AutoRuns
  • AutoStart
  • avast
  • AVG
  • AVIRA
  • AVZ
  • BitDefender
  • cmd.exe
  • DefenseWall
  • Download Master
  • Dr.Web
  • eKAV
  • ESET
  • far
  • F-PROT
  • F-Secure
  • G Data
  • GMER
  • HiJack
  • HijackThis
  • Internet Security
  • K7TotalSecurity
  • Kaspersky
  • LiveInstall
  • LiveUpdate
  • log
  • malware
  • Malwarebytes
  • Manipulation
  • McAfee
  • NOD32
  • OSAM
  • Outpost
  • PC Tools
  • Process Explorer
  • Process Monitor
  • Process Viewer
  • PTstartmon
  • Quick Heal
  • Regedit
  • Removal
  • rootkit
  • Security
  • SMS
  • Spyware
  • spyware
  • Startup
  • Sysinternals
  • Termination
  • Total Commander
  • Trend
  • TrendMicro
  • trojan
  • Vba32
  • VIPRE
  • virus
  • VirusTotal
  • WinLock
  • x-Core
  • Zillya
The worm may delete the following files:
  • a2exec64.sys
  • a2guard.exe
  • a2HiJackFree.exe
  • a2hijackfree.exe
  • a2scan.exe
  • a2service.exe
  • a2exec64.sys
  • a2guard.exe
  • a2HiJackFree.exe
  • a2hijackfree.exe
  • a2scan.exe
  • a2service.exe
  • a2upd.exe
  • a2update.dll
  • Aavm4h.dll
  • AavmGuih.dll
  • aavmker4.sys
  • AavmRpch.dll
  • acaif.exe
  • ACAPPAA.EXE
  • ACNLibDy.dll
  • actskin4.ocx
  • ACTXMOD.DLL
  • Ad-Aware.exe
  • ADkrnl.dll
  • aecore.dll
  • aeoffice.dll
  • aepack.dll
  • aescript.dll
  • afm.dll
  • AFMain.exe
  • AFNotInt.dll
  • AFNotSys.dll
  • AFOLUi.dll
  • AFQuaVw.exe
  • afw.sys
  • afwcon.exe
  • afwcore.sys
  • afwmod.exe
  • AhAScr.dll
  • AhJsctNs.dll
  • AhnI18n.dll
  • AhnSD.exe
  • AhnSDsv.exe
  • AhResJs.dll
  • AhResMai.dll
  • AhResOut.dll
  • ahResP2P.dll
  • AhResWS.dll
  • AhRuiJs.dll
  • AlfaFF.sys
  • AMEHEVN.DLL
  • AMonLWLH.sys
  • anftdird.sys
  • antispam.dll
  • AntiSpamGUI.ISPlugin.dll
  • antispy.dll
  • antivirus.dll
  • AnVir.exe
  • AnvirHook53.dll
  • AnvirRunServ.exe
  • aplhandler.dll
  • apm.dll
  • apm.exe
  • Appflt.sys
  • ArfMon.dll
  • ArfMonNt.sys
  • Arrakis3.exe
  • asapsdk.dll
  • ASCLSRVC.EXE
  • AScontrol.exe
  • ashAvast.exe
  • ashBase.dll
  • ashBug.exe
  • ashCnsnt.exe
  • ashChest.dll
  • ashChest.exe
  • ashMaiSv.exe
  • ashOutXt.dll
  • ashServ.exe
  • ashShA64.dll
  • ashSimp2.exe
  • ashSODBC.dll
  • ashTask.dll
  • ashUInt.dll
  • ashUpd.exe
  • ashWebSv.exe
  • ASK.exe
  • AskOut.dll
  • ASMAIN.EXE
  • ASndMail.dll
  • asp_ipc.dll
  • asp_srv.exe
  • ASPLYSCN.DLL
  • asppp.dll
  • ASSCAN.DLL
  • Assoc.cmd
  • aswBoot.exe
  • aswclnr.exe
  • aswCmnB.dll
  • aswCmnOS.dll
  • aswEngin.dll
  • ASWFilt.dll
  • aswFsBlk.sys
  • aswmon.sys
  • aswmon2.sys
  • aswMonDS.sys
  • aswRdr.sys
  • aswRegSvr.exe
  • aswRunDll.exe
  • aswScan.dll
  • aswSP.sys
  • aswTdi.sys
  • aswUpdSv.exe
  • ASZClean.dll
  • ASZFltNt.sys
  • ASZMedic.dll
  • athpexnt.sys
  • Auto-RC.cmd
  • autoruns.exe
  • autorunsc.exe
  • av.vbs
  • avadmin.exe
  • avarkt.dll
  • AvastSS.scr
  • AVASTSS.scr
  • AVCAILIB.DLL
  • avcenter.exe
  • avesvc.dll
  • avesvcr.dll
  • avevtrc.dll
  • avfwim.sys
  • avfwot.sys
  • avfwres.dll
  • avfwsvc.exe
  • avgam.exe
  • avgameh.dll
  • avgamnot.dll
  • avgcclix.dll
  • avgcsrvx.exe
  • avgdumpx.exe
  • avgfwda.sys
  • avgfwdx.sys
  • avgfws8.exe
  • AVGIDSDriver.sys
  • AVGIDSErHr.sys
  • AVGIDSFilter.sys
  • AVGIDSShim.sys
  • avgio.sys
  • avgio64.sys
  • avgiproxy.exe
  • avgmail.dll
  • avgmvflx.dll
  • avgnt.exe
  • avgntdd.sys
  • avgntflt.sys
  • avgntmgr.sys
  • avgrsx.exe
  • avgscanx.dll
  • avgscanx.exe
  • avgse.dll
  • avgsched.dll
  • avgspmui.dll
  • avgsrmax.exe
  • avgstrmx.exe
  • avgsystx.exe
  • avguard.exe
  • avinet.dll
  • avipbb.sys
  • avipc.dll
  • avirarkd.exe
  • AVK.exe
  • AVKBackupGUI.exe
  • AVKBackupService.exe
  • AVKExchd.dll
  • AvkHttp.dll
  • AVKIM.dll
  • avkimap.dll
  • avkims.exe
  • AvkMail.dll
  • avkpop3.dll
  • AVKProxy.exe
  • AVKScanJobC.dll
  • AVKService.exe
  • avksmtp.dll
  • AVKTray.exe
  • AVKTunerService.exe
  • AVKWCtl.exe
  • avkwscpe.exe
  • AVLUReg.dll
  • avmailc.exe
  • avmailcr.dll
  • avmcdlg.exe
  • avnotify.dll
  • avnotify.exe
  • Avp_io32.dll
  • avp_iont.dll
  • avperf.dll
  • avpfpi0.dll
  • avscan.dll
  • avscan.exe
  • avsda.dll
  • avservice.exe
  • AVSSHOOK.dll
  • avupgsvc.exe
  • avwebgrd.exe
  • avwinll.dll
  • avwsc.exe
  • avz.exe
  • avzkrnl.dll
  • AZMain.dll
  • bdfltlib.dll
  • bdfm.sys
  • bdfsfltr.sys
  • bdGUICtl.dll
  • bdch.dll
  • bdmcon.dll
  • bdpop3p.dll
  • bdreinit.exe
  • bdselfpr.sys
  • BDSurvey.exe
  • blkpst32.exe
  • BOOT.DRV
  • boot.udb
  • bpsrvc.dll
  • bpsvc.exe
  • CABSDK.DLL
  • catflt.sys
  • ccbackup.dll
  • ccfwgnt.dll
  • ccguard.dll
  • ccmguard.dll
  • ccquarc.dll
  • ccRtkLuM.dll
  • ccupdate.dll
  • cfdata3.dll
  • cfilter3.dll
  • ckahcomm.dll
  • ckahrule.dll
  • ckahstat.dll
  • ckahum.dll
  • cleanIELow.exe
  • cltUAC.exe
  • COH_Mon.sys
  • COH32.exe
  • COH64.exe
  • Combobatch.bat
  • ComboFix.exe
  • combofix.exe
  • Combo-Fix.exe
  • Combo-Fix.sys
  • CONIO.SYS
  • cryptocme2.dll
  • csscan.exe
  • cssexc.exe
  • dbokfui.dll
  • defensewall.exe
  • defensewall_serv.exe
  • delaydel.exe
  • DelClsid.bat
  • diffs.dll
  • DllCtrl.exe
  • dllhook.dll
  • DMON.dll
  • DRMLUReg.dll
  • drv.sys
  • DrvCrypt.sys
  • drvctl.exe
  • drvins32.exe
  • drwadins.exe
  • drwdemo.key
  • drweb32.dll
  • DrWeb32w.exe
  • drwebsp.dll
  • DrWebUpW.exe
  • drwebwcl.exe
  • dsaflt.sys
  • dumphive.cfxxe
  • dwall.dll
  • dwall.sys
  • dwall_ext.dll
  • dwall_service.dll
  • dwebio16.dll
  • dwebio32.dll
  • dwengine.exe
  • dwinctl.dll
  • dwprot.dll
  • dwprot.sys
  • eamon.sys
  • ecls.exe
  • ecmd.exe
  • eeclnt.exe
  • EECTRL.SYS
  • EECTRL64.SYS
  • eguiAmon.dll
  • eguiDmon.dll
  • eguiEmon.dll
  • eguiEpfw.dll
  • eguiMailPlugins.dll
  • eguiProduct.dll
  • eguiScan.dll
  • eguiUpdate.dll
  • ehdrv.sys
  • EHttpSrv.exe
  • ekrn.exe
  • ekrnAmon.dll
  • ekrnDmon.dll
  • ekrnEmon.dll
  • ekrnEpfw.dll
  • ekrnMailPlugins.dll
  • ekrnScan.dll
  • ekrnUpdate.dll
  • EMGSCAN.EXE
  • EMLTDI.SYS
  • ENG64.SYS
  • epfwtdir.sys
  • eplgHooks.dll
  • eplgOE.dll
  • eplgOEEmon.dll
  • eplgOutlook.dll
  • eplgOutlookEmon.dll
  • eplgTbEmon.dll
  • ERASER.SYS
  • ERASER64.SYS
  • ERUNT.EXE
  • EX64.SYS
  • extract.cfxxe
  • far.exe
  • feedback.exe
  • filehlpr.dll
  • fileobjinfo.sys
  • FILESDK.DLL
  • FILEWRAP.DLL
  • FirewallGUI.ISPlugin.dll
  • FirewallPlugin.dll
  • FirewallWrapper.dll
  • FIXLSP.bat
  • fldrvw2008.ocx
  • fnetmon.sys
  • fpavofficeie.dll
  • FPAVServer.exe
  • fpoutavext.dll
  • fpscan.exe
  • fpshx64.dll
  • fptrayproc.exe
  • FPWin.exe
  • fsample.exe
  • fsavstrt.exe
  • fsavunin.dll
  • fsavwscr.exe
  • fsavwsch.exe
  • fsecr32.dll
  • fsepx32.dll
  • fsfilter.sys
  • fsgk.sys
  • fsgk_x64.sys
  • fsgk_x64_sig.sys
  • fsgk32.exe
  • fsgk32st.exe
  • fspsmon.dll
  • fsqh.exe
  • fsrec.sys
  • fssubmit.dll
  • fssync.dll
  • fstopw.cat
  • FStopW.sys
  • fsupcx32.dll
  • fsupmw32.dll
  • fsupwu32.dll
  • fsvista.sys
  • fsvista_x64.sys
  • fsvista_x64_sig.sys
  • fwinst.exe
  • GDASpam.dll
  • GdDeepAnalyse.dll
  • GDFirewallTray.exe
  • GDNdisIc.sys
  • GDScan.exe
  • GDTdiIcpt.sys
  • GEARAspiWDM.sys
  • get.exe
  • get5.exe
  • get6.exe
  • get7.exe
  • get8.exe
  • get9.exe
  • getsi.dll
  • gmer.exe
  • grep.cfxxe
  • guardgui.exe
  • guardmsg.dll
  • hidec.exe
  • HijackThis.exe
  • hijackthis.log
  • HookCentre.sys
  • hookinst.exe
  • htmlayout.dll
  • CHMSCAN.DLL
  • IADkrnl.dll
  • idsflt.sys
  • IDSviA64.sys
  • IDSvix86.sys
  • ie_bar.dll
  • ievkbd.dll
  • inethlpr.dll
  • instcat.exe
  • is-BMK19.com
  • is-BMK19.exe
  • ISFWENt.sys
  • ISIPSENt.sys
  • ISNcPxCt.dll
  • ISPIBENt.sys
  • ISPrxENT.sys
  • ISTrkENt.sys
  • ISUtEvVa.dll
  • IWPLUReg.dll
  • K7APCExt.dll
  • K7AVCExt.dll
  • K7AVEvnt.dll
  • K7AVLExt.dll
  • K7AVMScn.dll
  • K7AVOApi.dll
  • K7AVOptn.dll
  • K7AVScan.exe
  • K7AVWScn.dll
  • K7CmnRes.dll
  • K7FWCExt.dll
  • K7FWFilt.Sys
  • K7FWHlpr.sys
  • K7FWSrvc.exe
  • K7GenSys.dll
  • K7O2Plgn.dll
  • K7PSSExt.dll
  • K7PSSrvc.exe
  • K7PSWSEn.dll
  • K7Sentry.sys
  • K7SpmSrc.exe
  • K7SysMn1.dll
  • K7SysMon.Exe
  • K7TdiHlp.sys
  • K7TSAlrt.exe
  • K7TSecurity.exe
  • K7TSHelp.dll
  • K7TSMain.exe
  • K7TSMngr.exe
  • K7TSSExt.dll
  • K7TSSplh.exe
  • K7TSUpdT.dll
  • K7TSUpdT.exe
  • K7UI.Dll
  • K7WinCmp.dll
  • K7WSLsp.dll
  • KDSAppEvent.dll
  • KDSInterface.dll
  • Kill-All.cmd
  • kl1.sys
  • klbg.sys
  • kldirobj.dll
  • klfltdev.sys
  • klif.sys
  • klim5.sys
  • klipc.dll
  • kloehk.dll
  • klogon.dll
  • klscav.dll
  • klthbplg.dll
  • knlps.exe
  • knlps.sys
  • LocalServiceNetworkRestricted.dat
  • LocalSystemNetworkRestricted.dat
  • log_converter.dll
  • MailClientLib.dll
  • mapiaddr.exe
  • MAPIEDK.dll
  • mbam.dll
  • mbam.exe
  • mbam.sys
  • mbamservice.exe
  • mbamswissarmy.sys
  • mcadmin.exe
  • McAVDetect.DLL
  • McAVSCV.DLL
  • mcouas.dll
  • mcscan32.dll
  • McScanCheck.exe
  • McTray.exe
  • memory.udb
  • mfeann.exe
  • mfeapfk.sys
  • mfeavfk.sys
  • mfebopk.sys
  • mfeCmnLib71.dll
  • mfecurl.dll
  • mfehidin.exe
  • mfehidk.sys
  • mferkda.dll
  • mferkdet.sys
  • mfetdik.sys
  • MimeSniffer.dll
  • MiniIcpt.sys
  • minst.exe
  • mkisofs.exe
  • MpAsDesc.dll
  • MpClient.dll
  • MpFilter.sys
  • mpnwmon.sys
  • MpSvc.dll
  • MSFilter.dll
  • MsMpCom.dll
  • MSOLKScn.dll
  • MSRegExp.dll
  • mytilus3_server_process.exe
  • NAVENG.SYS
  • NAVENG.VXD
  • NAVEX15.SYS
  • NAVEX15.VXD
  • NavShcom.exe
  • Navw32.exe
  • Navwnt.exe
  • NCDaemon.exe
  • NCScan.dll
  • Netfltdi.sys
  • NETI1634.sys
  • netsvc.vista.dat
  • netsvc.xp.dat
  • NircmdB.exe
  • nisoptui.exe
  • nmapapp.exe
  • NTREGOPT.EXE
  • NVSCNSDK.DLL
  • oe_mail.dll
  • oe_mydb.dll
  • oehook.dll
  • onaccess_client_mod.dll
  • onaccess_disp_mod.dll
  • op_cmn.dll
  • op_gui.dll
  • op_import.dll
  • op_install.dll
  • op_mail.dll
  • op_mon.exe
  • op_shell.dll
  • OSid.vbs
  • OSVIL.dll
  • OtlkScan.dll
  • pavboot.sys
  • pavboot64.sys
  • PAVDRV51.SYS
  • PCTAppEvent.sys
  • pctaveng.dll
  • PCTCFFix.exe
  • PCTCFHook.dll
  • PCTCore.sys
  • PCTFW.exe
  • pctfw.sys
  • pctgntdi.sys
  • PCTLsp.dll
  • pctplfw.sys
  • pctplsg.sys
  • pctsAuxs.exe
  • PCTSDInj32.sys
  • PCTSecUtility.dll
  • pctsGui.exe
  • pctsSvc.exe
  • pctsTray.exe
  • pec32.exe
  • pifCrawl.exe
  • PIFSvc.exe
  • PluginDllFW.dll
  • PREVXCSIFREE.exe
  • prloader.dll
  • procexp.exe
  • Procmon.exe
  • ProcViewer.exe
  • prremote.dll
  • PSSCAN.DLL
  • PTstartmon.exe
  • QtnMaint.dll
  • QtnMaint.exe
  • RCSCAN.DLL
  • Reg LWT Scan.exe
  • reglwtscan.zip
  • RegScan.cmd
  • RegScan64.cmd
  • RKPavProc.sys
  • RKPavProc64.sys
  • RootkitRevealer.exe
  • rscdwld.exe
  • RunThis.bat
  • safeboot.dat
  • safeboot.def.dat
  • safeboot.def.vista.dat
  • Safeboot.def.w7.dat
  • SandBox.sys
  • SandboxieBITS.exe
  • SandboxieCrypto.exe
  • SBAMCommandLineScanner.exe
  • SBAMCreateRestore.exe
  • SBAMOutlook.dll
  • SBAMSafeModeUI.exe
  • SBAMSvc.exe
  • SBAMSvcPS.dll
  • sbamwsc.exe
  • sbaphd.sys
  • sbapifs.sys
  • sbapifsl.sys
  • SBArva.dll
  • sbbd.exe
  • SbieDrv.sys
  • SbieMsg.dll
  • SbieSvc.exe
  • SBTIS.sys
  • sc_disp_mod.dll
  • scan32.exe
  • SCANABT.DLL
  • SCANAPI.DLL
  • scannercom_client_mod.dll
  • scannercom_disp_mod.dll
  • SCANOPT.DLL
  • SCANRES.DLL
  • Scanscr.dll
  • SCANSDK.DLL
  • SCANSET.DLL
  • SCANSTS.DLL
  • SCANTLS.DLL
  • SCANWSCS.EXE
  • scmhlpr.dll
  • SDAVgate.dll
  • sdcore.dll
  • SDFix.exe
  • sdinvoker.exe
  • sdloader.exe
  • sdra64.exe
  • SecureFrameworkFactory3.dll
  • security_client_mod.dll
  • security_disp_mod.dll
  • SetEnvmt.bat
  • SetIntegrity.exe
  • SfCtlCom.exe
  • SfFnWSC.exe
  • SMEngine.dll
  • SmitfraudFix.exe
  • SMPlugin.dll
  • sp_rsdel.exe
  • sp_rsdrv2.sys
  • sp_rsser.exe
  • spider.sys
  • SpIDerAgent.exe
  • SpIDerAgent_set.exe
  • spidergate.exe
  • spidergate_set.exe
  • SpIDerMl.exe
  • spidernt.exe
  • spiderui.exe
  • SpOrder.Dll
  • SpursDownload.dll
  • SpyProDll.dll
  • SpyProtector.exe
  • SpywareTerminator.exe
  • SpywareTerminatorShield.Exe
  • SSAutoRN.exe
  • ssmdrv.sys
  • startup.exe
  • SUpdate.exe
  • svc_wht.dat
  • swreg.exe
  • SYMCUW.exe
  • SymIDSco.sys
  • SysInspector.exe
  • SysRescue.exe
  • Tcpvcon.exe
  • Tcpview.exe
  • tdiins.exe
  • TisScan.exe
  • tm_cfw.sys
  • tmactmon.sys
  • TMBMSRV.exe
  • tmcomm.sys
  • tmevtmgr.sys
  • TMLWF.sys
  • tmlwfins.exe
  • TmPfw.exe
  • tmpreflt.sys
  • tmtdi.sys
  • TMWFP.sys
  • tmwfpins.exe
  • tmxpflt.sys
  • tsc.exe
  • TSRemove.exe
  • TSUpgAgt.exe
  • UdaterUI.exe
  • UfNavi.exe
  • UfUpdUi.exe
  • ujixndew.sys
  • UmInject32.exe
  • unamnt.sys
  • Unamnt4.sys
  • UniversalDD.sys
  • updater_client_mod.dll
  • updater_disp_mod.dll
  • UpdateSubSys.Dll
  • V3hunt.dll
  • V3Inet.dll
  • V3INet2.dll
  • Vba32Act.exe
  • Vba32ADS.exe
  • Vba32ar.dll
  • Vba32dNT.sys
  • vba32ecm.dll
  • Vba32Prot.sys
  • vba32sck.dll
  • vba32shl.dll
  • Vba32Stg.dll
  • Vba32w.dll
  • vbaifps.dll
  • vbengnt.dll
  • VBEngNT.sys
  • VBFilt.dll
  • VBSSCAN.DLL
  • vdbupdate.dll
  • VIRINFO.DLL
  • VIRSTAT.DLL
  • virusinfo_syscheck.htm
  • virusinfo_syscheck.xml
  • virusinfo_syscheck.zip
  • VirusTotalUpload.exe
  • VsapiNT.sys
  • VXDSCAN.DLL
  • wl_hook.dll
  • wnmflt.sys
  • WORMSCAN.DLL
  • wslib.dll
  • XceedZip.dll
  • xCorePc.dll
  • xCoreScan.exe
  • xCoreScan32.exe
  • xInitCorePC.exe
  • xpbar.dll
  • xUpdate.exe
  • YCryptp.dll
  • zcontextmenu.dll
  • ZFMSYS.sys
  • zillya.exe
  • zofficescn.dll
  • ZOOSCAN.DLL
  • *.log
  • *.lcnt
  • *.llrm
  • *.lsig
  • *.lvdb
  • *.lscd
  • *.lavg
  • *.lavp
  • *.ldws
  • *.lavc
  • *.lcvd
  • *.lDsm
  • *.lkdc
  • *.lppl
  • *.lnup
  • *.ldwl
  • *.lavz
  • *.ldta
  • *.lblockpost
Win32/AutoRun.Delf.EL is a worm that blocks access to the Windows operating system.

The worm displays fake warnings about threats detected on the compromised computer that need to be removed.

The problems/threats are fake.

Clipboard01.jpg
Clipboard02.jpg
Clipboard04.jpg
Clipboard05.jpg
To regain access to the operating system the user is asked to send an SMS message to a specified telephone number in exchange for a password.