Threat Description



Aliases:Delf.BO, Trojan.Win32.Delf.abn, Trojan:​W32/Delf.BKE, W32.Relfeer,


Virus:W32/Delf.BO is malware that connects to malicious websites. Virus:W32/Delf.BO may download files, or get instructions for its malicious acts.


Automatic action

Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.


You may wish to refer to the Support Community for further assistance. You also may also refer to General Removal Instructions for a general guide on alternative disinfection actions.

Technical Details

Once Virus:W32/Delf.BO has been executed, it will display a non-malicious file. Typically, office documents, text files, or log files. The clean file is dropped into the following folder:

  • %temp%\PrgStart

Virus:W32/Delf.BO drops the following malicious file component in the Windows directory:

  • reloc32.exe
  • svhst32.exe

It also drops the following files in the Windows System Directory:

  • updates.exe
  • wandrv.exe

Moreover, it also drops the following file in the Startup folder:

  • SQLNET.exe

Malicious drop files may use the following parameters to execute:

  • -O
  • -RS
  • -A
  • -V

To enable its automatic execution upon boot up it adds the following autostart registry entries:

  • HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce "Install part II" = "%sysdir%\updates.exe -o"
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\ "Memory relocation service" = "%windir%\reloc32.exe -rs"
  • HKLM\Software\Microsoft\Windows\CurrentVersion\Run "Microsoft Server Process" = "%windir%\svhst32.exe -a"

Delf.BO modifies the default entry for the program used to open the clean file and executes itself upon opening the same file extension of the clean file.

Example for .TXT files:

  • HCR\txtfile\shell\open\command Original data: %sysdir%\NOTEPAD.EXE %1 New data: %sysdir%\notepd.exe "-v" "%1"

Along with adding or modifying registry entries for its autostart technique, it also adds the following entry in "%windir%\win.ini"

  • "%sysdir%\wandrv.exe"

This is under the following criteria:

  • Name = "windows"
  • Key = "run"

It may connect to the following domain to download other files:


Note: As of this writing the domains above are unavailable. It checks for Internet connection by querying the following site:


It has a backdoor/proxy server functionality that may use the following commands:

  • HEAD
  • POST
  • PUT

Virus:W32/Delf.BO also connects to the following URL:



F-Secure Anti-Virus detects this malware with the following updates:
Detection Type: PC
Database: 2007-05-02_02


Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

Learn More