Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Win32/AutoRun.Delf.HH

Aliases:Trojan.Win32.Scar.cmjf (Kaspersky), Win32:Rootkit-gen (Avast), Trojan.Gen (Symantec) 
Type of infiltration:Worm  
Size:558080 B 
Affected platforms:Microsoft Windows 
Signature database version:5265 (20100709) 

Short description

Win32/AutoRun.Delf.HH is a worm that spreads via removable media. The worm can download and execute a file from the Internet.

Installation

When executed, the worm copies itself into the following location:
  • %windir%SysRegSrvc.exe (558080 B)
In order to be executed on every system start, the worm sets the following Registry entry:
  • [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersion
    Run]
    "MSkip" = "%windir%SysRegSrvc.exe"
The following Registry entries are set:
  • [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersion
    ExplorerAdvanced]
    "SuperHidden" = 0
    "ShowSuperHidden" = 0

Spreading on removable media

The worm copies itself into the root folders of removable drives using the following filename:
  • Start.exe
The following file is dropped in the same folder:
  • autorun.inf
Thus, the worm ensures it is started each time infected media is inserted into the computer.

Information stealing

The worm collects the following information:
  • computer name
  • user name
  • CPU information
The worm attempts to send gathered information to a remote machine.

Other information

The worm restarts the operating system if there is a window with any of the following strings in the name:
  • The Wireshark Network Analyzer
The worm acquires data and commands from a remote computer or the Internet.

The worm contains a list of (2) URLs. The HTTP protocol is used.

The worm can download and execute a file from the Internet.