Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Win32/AutoRun.Delf.HA

Aliases:Win32.HLLW.Autoruner.23539 (Dr. Web), BackDoor.Delf.DDJ (AVG) 
Type of infiltration:Worm  
Size:1043968 B 
Affected platforms:Microsoft Windows 
Signature database version:5236 (20100629) 

Short description

Win32/AutoRun.Delf.HA is a worm that spreads via removable media. The worm serves as a backdoor. It can be controlled remotely. The worm sends requests to simulate clicks on banner advertisements, to inflate web counter statistics etc.

Installation

When executed, the worm copies itself into the following location:
  • C:Brand.exe
In order to be executed on every system start, the worm sets the following Registry entry:
  • [HKEY_LOCAL_MACHINESowftwareMicrosoftWindowsCurrentVersion
    Run]
    "BrandPack" = "C:Brand.exe"

Spreading on removable media

The worm copies itself into the root folders of removable drives using the following filename:
  • %drive%Brand.exe (1043968 B)
The worm creates the following file:
  • %drive%autorun.inf (*.DLL PE32, 14400 B)
The worm may delete files stored in the following folders:
  • %drive%AUTORUN.INF

Other information

The worm acquires data and commands from a remote computer or the Internet.

The worm contains a list of (1) URLs. The worm opens UDP port 2171.

It can execute the following operations:
  • retrieve CPU information
  • download files from a remote computer and/or the Internet
  • run executable files
  • open a specific URL address
The worm may create the following files:
  • C:funk (12 MB)
  • C:MKFNK.EXE (2288 B)
  • C:Click.exe (436736 B)