Virus:W32/Delf.BO is malware that connects to malicious websites. Virus:W32/Delf.BO may download files, or get instructions for its malicious acts.
Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.
More information on scanning and removal options available in your F-Secure product can be found in the Help Center.
You may also refer to the Knowledge Base on the F-Secure Community site for more information.
Once Virus:W32/Delf.BO has been executed, it will display a non-malicious file. Typically, office documents, text files, or log files. The clean file is dropped into the following folder:
Virus:W32/Delf.BO drops the following malicious file component in the Windows directory:
It also drops the following files in the Windows System Directory:
Moreover, it also drops the following file in the Startup folder:
Malicious drop files may use the following parameters to execute:
To enable its automatic execution upon boot up it adds the following autostart registry entries:
- HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce "Install part II" = "%sysdir%\updates.exe -o"
- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\ "Memory relocation service" = "%windir%\reloc32.exe -rs"
- HKLM\Software\Microsoft\Windows\CurrentVersion\Run "Microsoft Server Process" = "%windir%\svhst32.exe -a"
Delf.BO modifies the default entry for the program used to open the clean file and executes itself upon opening the same file extension of the clean file.
Example for .TXT files:
- HCR\txtfile\shell\open\command Original data: %sysdir%\NOTEPAD.EXE %1 New data: %sysdir%\notepd.exe "-v" "%1"
Along with adding or modifying registry entries for its autostart technique, it also adds the following entry in "%windir%\win.ini"
This is under the following criteria:
- Name = "windows"
- Key = "run"
It may connect to the following domain to download other files:
Note: As of this writing the domains above are unavailable. It checks for Internet connection by querying the following site:
It has a backdoor/proxy server functionality that may use the following commands:
Virus:W32/Delf.BO also connects to the following URL:
F-Secure Anti-Virus detects this malware with the following updates:
Detection Type: PC
Description Created: 2007-05-14 11:50:04.0
Description Last Modified: 2007-05-14 14:14:57.0