Home / malwarePDF  

Virus:W32/Delf.BO


First posted on 16 May 2007.
Source: SecurityHome

Aliases :

Virus:W32/Delf.BO is also known as Trojan:W32/Delf.BKE, W32.Relfeer, Virus.Win32.Delf.bo, Trojan.Win32.Delf.abn.

Explanation :

Virus:W32/Delf.BO is malware that connects to malicious websites. Virus:W32/Delf.BO may download files, or get instructions for its malicious acts.

Once Virus:W32/Delf.BO has been executed, it will display a non-malicious file. Typically, office documents, text files, or log files.

The clean file is dropped into the following folder:


Virus:W32/Delf.BO drops the following malicious file component in the Windows directory:


It also drops the following files in the Windows System Directory:


Moreover, it also drops the following file in the Startup folder:


Malicious drop files may use the following parameters to execute:


To enable its automatic execution upon boot up it adds the following autostart registry entries:


Delf.BO modifies the default entry for the program used to open the clean file and executes itself upon opening the same file extension of the clean file.
Example for .TXT files:


Along with adding or modifying registry entries for its autostart technique, it also adds the following entry in "%windir%win.ini"


This is under the following criteria:


It may connect to the following domain to download other files:


Note: As of this writing the domains above are unavailable.

It checks for Internet connection by querying the following site:


It has a backdoor/proxy server functionality that may use the following commands:


Virus:W32/Delf.BO also connects to the following URL:

Last update 16 May 2007

 

TOP

Malware :

Family: