My Bitdefender
  • 0 Shopping Cart

SHARE
THIS ON

Facebook Twitter Google Plus

Win32.Worm.Delf.NCZ

LOW
LOW
~60KB
(Worm.Win32.Delf.cd)

Symptoms

  • AVWAV32.DLL, KSPOOL.EXE in %system% folder
  • FFASTIDX.DAT and debug1.txt in %systemroot%

Removal instructions:

Download the removal tool to disinfect the document files and clean the registry, then do a system scan with BitDefender to remove any remaining traces of the malware.

Analyzed By

Theodor-Iulian Ciobanu, virus researcher

Technical Description:

Upon execution the worm copies itself in the windows system folder as kspool.exe and adds a key in the system registry to be run upon startup, named
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Kernel spooler
It then proceeds to spreading, which is done by
a) copying itself as
 >%DriveLetter%\MSSETUP.T~~\Uninstall Driver.exe
where %DriveLetter% is a network mapped drive, creating also a folder.htt file in the same folder, to run the malware when the folder is accessed by Explorer
and
b) by the dropped library, AVWAV32.DLL, which has file infector behaviour:
It scans the computer for document files (.doc, .xls, .ldf, .mdf) to which it prepends itself and whose extensions are changed to .exe. Upon execution of such a file, the malware infects the computer it is run on, drops the original document and opens it.