W32/Delbot-AD is a worm with backdoor functionality for the Windows platforms which allows a remote intruder to gain access and control over the computer.
W32/Delbot-AD spreads
- to computers vulnerable to common exploits, including: Symantec (SYM06-010)
- to MSSQL servers protected by weak passwords
- to network shares protected by weak passwords
W32/Delbot-AD includes functionality to download, install and run new software.
When first run W32/Delbot-AD copies itself to <System>\jscript.exe and creates the file \ertg.exe.
The following registry entry is created to run jscript.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Javascript
<System>\jscript.exe