Virus:W32/Delf.BO is malware that connects to malicious websites. Virus:W32/Delf.BO may download files, or get instructions for its malicious acts.
Depending on the settings of your F-Secure security product, it will either automatically delete, quarantine or rename the suspect file, or ask you for a desired action.
More information on the scanning and removal options available in your F-Secure product can be found in the Help Center.
You may also refer to the Knowledge Base on the F-Secure Community site for more information.
Once Virus:W32/Delf.BO has been executed, it will display a non-malicious file. Typically, office documents, text files, or log files. The clean file is dropped into the following folder:
Virus:W32/Delf.BO drops the following malicious file component in the Windows directory:
It also drops the following files in the Windows System Directory:
Moreover, it also drops the following file in the Startup folder:
Malicious drop files may use the following parameters to execute:
To enable its automatic execution upon boot up it adds the following autostart registry entries:
Delf.BO modifies the default entry for the program used to open the clean file and executes itself upon opening the same file extension of the clean file.
Example for .TXT files:
Along with adding or modifying registry entries for its autostart technique, it also adds the following entry in "%windir%\win.ini"
This is under the following criteria:
It may connect to the following domain to download other files:
Note: As of this writing the domains above are unavailable. It checks for Internet connection by querying the following site:
It has a backdoor/proxy server functionality that may use the following commands:
Virus:W32/Delf.BO also connects to the following URL:
F-Secure Anti-Virus detects this malware with the following updates:
Detection Type: PC
Description Created: 2007-05-14 11:50:04.0
Description Last Modified: 2007-05-14 14:14:57.0