SonicALERT
Search

Sonicwall Signatures

 

Go to All Categories list.


  Delf.DW_2
Delf.DW_2 is a Worm. Worms spread from computer to computer, making copies of themselves over the network. They could spread over email, IM, peer-to-peer networks, or directly over the wire by leveraging vulnerabilities. Delf.DW_2 is compressed using the executable packer and its file size is 438,272 bytes. This malware is written in Borland Delphi.

Delf.DW_2 drops the following files on the hard drive:

  • C:\WINDOWS\Inf\smss.exe (438272 bytes)
  • C:\WINDOWS\System32\Sexy Girls.scr (438272 bytes)
  • C:\DOCUME~1\Administrator\LocalS~1\Progra~1\svchost.exe (438272 bytes)
It also changes Windows registry:
  • Creates value "FrameWorkService"="" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run".
  • Creates value "FrameWorkService"="" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Run".
  • Creates value "DisallowRun"="" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer".
  • Creates value "NoFind"="" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer".
  • Creates key "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun".
  • Creates value "1"="cmd.exe" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun".
  • Creates value "2"="mmc.exe" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun".
  • Creates value "3"="rstrui.exe" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun".
  • Creates value "4"="regedit.exe" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun".
  • Creates value "5"="regedt32.exe" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun".
It also is executed every time Windows starts.


Relevant Information