Win32/Delf.SUZ [Threat Name] go to Threat
Win32/Delf.SUZ [Threat Variant Name]
| Category | trojan |
| Size | 948224 B |
| Detection created | Mar 26, 2015 |
| Detection database version | 11687 |
Short description
Win32/Delf.SUZ is a trojan which tries to download other malware from the Internet.
Installation
The trojan copies itself to the following location:
- %appdata%\winntcrytserv.exe
The trojan may create the following files:
- %appdata%\winntcrytserv.exe.%number%
The variable %number% represents a number in the range 0 - 99999 .
The trojan registers itself as a system service.
This causes the trojan to be executed on every system start.
The following Registry entries are created:
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\Application\winntcrytserv]
- "EventMessageFile" = "%appdata%\winntcrytserv.exe"
- "TypesSupported" = 7
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\winntcrytserv]
- "Description" = "NT Cryticals Services"
- "DisplayName" = "winntcrytserv"
- "ErrorControl" = 1
- "FailureActions" = "0A00000001000000010000000100000014000000010000000A000000"
- "ImagePath" = "%appdata%\winntcrytserv.exe"
- "ObjectName" = LocalSystem
- "Start" = 2
- "Type" = 16
Information stealing
The trojan collects the following information:
- volume serial number
The trojan attempts to send gathered information to a remote machine.
Other information
The trojan acquires data and commands from a remote computer or the Internet.
The trojan contains a URL address. The HTTP protocol is used in the communication.
It tries to download and execute the other part of the infiltration from the address.