Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Short description
Win32/Delf.NQM is a worm that spreads by copying itself into certain folders.
Installation
The worm attempts to delete the following files:
  • %systemdrive%WINDOWSsystem32spoolsv.exe
  • %systemdrive%WINDOWSsystem32taskmgr.exe
  • %systemdrive%WINDOWSpchealthhelpctrbinariesmsconfig.exe
  • %systemdrive%WINDOWSregedit.exe
  • %systemdrive%WINDOWSsystem32CProcess.exe
  • %systemdrive%WINDOWSsystem32autoruns.exe
The worm copies itself in the following locations:
  • %systemdrive%WINDOWSsystem32sys32smss.exe
  • %systemdrive%WINDOWSWebWallpapercsrss.exe
  • C:WINDOWSsystem32taskmgr.exe
  • D:WINDOWSsystem32taskmgr.exe
  • C:WINDOWSpchealthhelpctrbinariesmsconfig.exe
In order to be executed on every system start, the worm sets the following Registry entries:
  • [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersion
    Run]
    "%systemdrive%WINDOWSsystem32sys32smss.exe" =
    "%systemdrive%WINDOWSsystem32sys32smss.exe"
    "%systemdrive%WINDOWSWebWallpapercsrss.exe" =
    "%systemdrive%WINDOWSWebWallpapercsrss.exe"
The following Registry entries are created:
  • [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersion
    PoliciesSystem]
    "DisableTaskMgr" = 1
Other information
The worm can trigger unexpected keyboard and/or mouse behavior.

The worm may open the CD/DVD drive.