Win32/Delf.SUZ [Threat Name] go to Threat
Win32/Delf.SUZ [Threat Variant Name]
|Detection created||Mar 26, 2015|
|Signature database version||11687|
Win32/Delf.SUZ is a trojan which tries to download other malware from the Internet.
The trojan copies itself to the following location:
The trojan may create the following files:
The variable %number% represents a number in the range 0 - 99999 .
The trojan registers itself as a system service.
This causes the trojan to be executed on every system start.
The following Registry entries are created:
- "EventMessageFile" = "%appdata%\winntcrytserv.exe"
- "TypesSupported" = 7
- "Description" = "NT Cryticals Services"
- "DisplayName" = "winntcrytserv"
- "ErrorControl" = 1
- "FailureActions" = "0A00000001000000010000000100000014000000010000000A000000"
- "ImagePath" = "%appdata%\winntcrytserv.exe"
- "ObjectName" = LocalSystem
- "Start" = 2
- "Type" = 16
The trojan collects the following information:
- volume serial number
The trojan attempts to send gathered information to a remote machine.
The trojan acquires data and commands from a remote computer or the Internet.
The trojan contains a URL address. The HTTP protocol is used in the communication.
It tries to download and execute the other part of the infiltration from the address.