My Bitdefender
  • 0 Shopping Cart

SHARE
THIS ON

Facebook Twitter Google Plus

Win32.Worm.Delf.NFW

LOW
LOW
194048 B (packed with UPX)
(Worm/Delf.NFW)

Symptoms

- low internet bandwith
- high disk usage
- visible computer slowdowns
- presence of the registry key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\TuneUp

Removal instructions:

Please let BitDefender disinfect your files.

Analyzed By

Lutas Andrei Vlad, virus researcher

Technical Description:

This worm is written in Delphi and appears to originate in Romania. It uses DC (Direct Connection) clients to spread from one computer to another.
When it is first ran, it will create in the same directory a file named System32.F2.sys, where it will write a huge list of movie, software, crak, keygen names, and any other type of files DC users usually share. It will then check the existence of one of the following DC clients:
-StrongDC 
-ApexDC
-DCPlusPlus
-oDC

If it finds one of them, it will attempt to open the file DCPlusPlus.xml (usually found in the same directory with the DC client), and edit it, adding the following line one or several times:
C:\Program Files\Common Files\System Internals 32bits\
It will then create the directory described above (c:\Program files\Common Files\System Internals 32bit) where for every line from the file System32.F2.sys, it will create a directory whos name may vary from software, cracks, keygens, to movies. In each of these directories, the worm will make a copy of itself, having double extension in case of movies (ex. something.avi.exe and something.sub.exe). This way, the worm will create over 1000 directories, and in every directory there will be at least one copy of itself. During the next DC start, these directories will be shared, allowing the worm to spread and infect more computers. It will then create the following registry key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\TuneUp pointing to the file C:\Program Files\Common Files\System Internals 32bits\TuneUp.exe, that will ensure the worm gets executed during every startup.

It will also attempt to connect to various music web-sites, where it will try to download various files (usually .mp3 files). It will then search and delete every file on the disk that contains one of the following sequences of characters: Adrian Minune,
Adi De La Valcea, Adi De Vito, Alex de la Orastie, Ali Zaidi, Ady Pustiu, Babi Minune, Corina, Bocsa Copilul de Aur, Costel Biju, Ciofu, Cristi Dules, Cristian Rizescu, Dan Bursuc, danezu, Denisa, De Marco, Dj. Bengos, DJ Sebi, Don Genove, Elvis de la Bistrita, Florin Cristea, Florin Minune, Florin Mitroi, Florin Peste, Florin Salam, Fratii de Aur, Laura Vass, Liviu Pustiu, Liviu Guta, Jean de la Craiova, K-meleon, Kristiyana, Ionut Cercel, Marius de la Focsani, Mihaela Minune, Mihai Priescu, Mihaita Piticu, Minodora, Mr.Juve, Nea Kalu, Nek, Nicolae Guta, Nicoleta Guta, Octavian Francezul, Pedro Petrica, Cercel, Printesa de Aur, Roxana Printesa Ardealului, Rudy de la Valcea, Sandu Ciorba, Sorinel Pustiul, Sorinel Pustiu, Susanu, Suzana, Vali Vijelie, Violeta Constantin, Zaku.

The worm may also overwrite the hosts file with one of its own, that will redirect any acces to various music, warez or pornographic web-sites to the localhost (making them inaccesible).