Troj/Delf-A

Aliases	Win32/Delf.BR trojan
Category	Viruses and Spyware
Type	Trojan
What to do	If you've received an alert for a virus or spyware, then follow the instructions for removing the threat.
Prevalence	low high

Summary

Summary
Action
More Information


Protection available since	7 June 2004 10:04:19 (GMT)
Detected by	All Sophos products

Free virus scan
Download the Threat Detection Test

Free virus, spyware, and adware scan
Test your existing anti-virus protection
Find threats your anti-virus missed

Action

Summary
Action
More Information

Please follow the instructions for removing Trojans.

More Information

Summary
Action
More Information

Troj/Delf-A is a backdoor Trojan for the Windows platform.

Troj/Delf-A allows a malicious user remote access to an infected computer.

In order to run automatically when Windows starts up Troj/Delf-A creates the following registryentry as well as modifying Win.ini:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\NVidiaDrv=
C:\WINDOWS\system\nvfsvm.com /autorun.

Upon execution Troj/Delf-A displays the bogus error message "WinZip
Self-Extractor header corrupt. Possible cause: bad disk or file transfer
error".

Troj/Delf-A may listen on port 2802, 2803 and 2804 for incoming connections
from a remote attacker.

Troj/Delf-A will copy itself to the file nvfsvm.com and drop the file kblog.dll
to the default System folder. The file kblog.dll is a harmless log file.

The trojan will also send an email to fixed2002@starline.ee containing the IP
address of the infected machine.

Get reports about the latest virus and spyware threats delivered to your computer

In this section

Troj/Delf-A

Summary

Action

More Information