Home / malware Win32.Worm.Delf.NCZ
First posted on 21 November 2011.
Source: BitDefenderAliases :
Win32.Worm.Delf.NCZ is also known as Worm.Win32.Delf.cd.
Explanation :
Upon execution the worm copies itself in the windows system folder as kspool.exe and adds a key in the system registry to be run upon startup, named
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRunKernel spooler
It then proceeds to spreading, which is done by
a) copying itself as
>%DriveLetter%MSSETUP.T~~Uninstall Driver.exe
where %DriveLetter% is a network mapped drive, creating also a folder.htt file in the same folder, to run the malware when the folder is accessed by Explorer
and
b) by the dropped library, AVWAV32.DLL, which has file infector behaviour:
It scans the computer for document files (.doc, .xls, .ldf, .mdf) to which it prepends itself and whose extensions are changed to .exe. Upon execution of such a file, the malware infects the computer it is run on, drops the original document and opens it.Last update 21 November 2011
