| Delf.DW_2 is a Worm. Worms spread from computer to computer, making copies of themselves over the network. They could spread over email, IM, peer-to-peer networks, or directly over the wire by leveraging vulnerabilities. Delf.DW_2 is compressed using the executable packer and its file size is 438,272 bytes. This malware is written in Borland Delphi. Delf.DW_2 drops the following files on the hard drive: - C:\WINDOWS\Inf\smss.exe (438272 bytes)
- C:\WINDOWS\System32\Sexy Girls.scr (438272 bytes)
- C:\DOCUME~1\Administrator\LocalS~1\Progra~1\svchost.exe (438272 bytes)
It also changes Windows registry: - Creates value "FrameWorkService"="" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run".
- Creates value "FrameWorkService"="" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Run".
- Creates value "DisallowRun"="" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer".
- Creates value "NoFind"="" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer".
- Creates key "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun".
- Creates value "1"="cmd.exe" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun".
- Creates value "2"="mmc.exe" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun".
- Creates value "3"="rstrui.exe" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun".
- Creates value "4"="regedit.exe" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun".
- Creates value "5"="regedt32.exe" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun".
It also is executed every time Windows starts.
|
