Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically


Aliases:Win32.HLLW.Autoruner.23539 (Dr. Web), BackDoor.Delf.DDJ (AVG) 
Type of infiltration:Worm  
Size:1043968 B 
Affected platforms:Microsoft Windows 
Signature database version:5236 (20100629) 

Short description

Win32/AutoRun.Delf.HA is a worm that spreads via removable media. The worm serves as a backdoor. It can be controlled remotely. The worm sends requests to simulate clicks on banner advertisements, to inflate web counter statistics etc.


When executed, the worm copies itself into the following location:
  • C:Brand.exe
In order to be executed on every system start, the worm sets the following Registry entry:
  • [HKEY_LOCAL_MACHINESowftwareMicrosoftWindowsCurrentVersion
    "BrandPack" = "C:Brand.exe"

Spreading on removable media

The worm copies itself into the root folders of removable drives using the following filename:
  • %drive%Brand.exe (1043968 B)
The worm creates the following file:
  • %drive%autorun.inf (*.DLL PE32, 14400 B)
The worm may delete files stored in the following folders:
  • %drive%AUTORUN.INF

Other information

The worm acquires data and commands from a remote computer or the Internet.

The worm contains a list of (1) URLs. The worm opens UDP port 2171.

It can execute the following operations:
  • retrieve CPU information
  • download files from a remote computer and/or the Internet
  • run executable files
  • open a specific URL address
The worm may create the following files:
  • C:funk (12 MB)
  • C:MKFNK.EXE (2288 B)
  • C:Click.exe (436736 B)