Win32/Delf.QCZ Description

Type: Trojan

Win32_Delf.QCZ is a devious and chatty Trojan that knows how to make its way around the friendly Facebook platform. Trojan_Win32Delf.QCZ uses an old trick to lure PC users; it pretends to be a codec component to view a video supposedly containing the victim's likeness. However, what makes Trojan_Win32_Delf.QCZ most interesting is Win32_Delf.QCZ's ability to engage victims into a dialogue, as opposed to just posting a one-liner and poisonous link.

If you look at the samples collected below, it is obvious that cybercriminals are enjoying the gullibility offered by social networks and are putting their social engineering skills to good use.

Friend (aka virus): Hi, how are you?

Victim: Hi, friend (aka virus)

Friend (aka virus): good. Wanna laugh?

Victim: Absolutely

Friend (aka virus): It is you on the video?)) want to see?)

Victim: Yes, yes, yes … send me the link

Friend (aka virus): http:\\poisonous link

Cybercriminals exploit any and everything, including software, hardware and human behavior and often hack or spoof accounts, so victims or recipients will fall trap and trust the lies.

The poisonous link routes to a rogue YouTube webpage and, in order to watch the video, you'll need to upgrade your Adobe Flash Player. Of course, this is a trap and the update is fake. To add to the deception, there are validating comments from other friends. Here are a few examples:

Friend2 (aka virus): He must have been shamed to do that
Friend3 (aka virus): had to update Flash Player, but it was worth it this video is the very best!
Friend4 (aka virus): one word for it – TERRIBLE!!

Another interesting twist deals with the payload of Trojan_Win32_Delf.QCZ. Trojans are known to drive or simulate a security breach in hopes of tricking a PC user into buying a useless anti-virus program. However, Trojan_Win32_Delf.QCZ looks for and impersonates a particular anti-virus or security program already in place. Why? This most likely is a distraction ploy, so that the victim will not suspect other malicious behaviors such as these:

  • Theft of vital data stored on the system or being entered into web-based forms.
  • Theft of the email address book so a spammer can spam persons on the lists.
  • Downloading more malicious programs, including a rogue security program that uses fake scans, alerts and reporting.

ESG Security researchers tested the malicious behavior of Win32_Delf.QCZ and have noticed the plantation and installation of a mining application called Bitcoin, indicating the builder (malware maker or hacker) is up to more malicious activity. In a nutshell, Bitcoins are a decentralized, P2P virtual currency and are mainly used underground to buy all sorts of things, legal or illegal, without government interference. Bitcoins can be bought, traded or generated through CPU usage, which means at a minimum, your system resources will be secretly used to generate Bitcoins.

Trojan_Win32_Delf.QCZ performs the following malicious functions:

  • Search for specific AV programs to delete and later impersonate.
  • Disable administrative controls such as Task Manager, so it can't be used to stop its process from running.
  • Modify the registry by editing sub-keys and making an entry to loop its venomous executable, so it runs at every boot.
  • Download a binary via HTTP over port 80 and 8080.
  • Survey the system and check to see if an ATI graphic card exist and, if so, download drivers.
  • Modify the system to run its venomous executable in Safe Mode.

If the victim doesn't restart their system in a specific window of time, automatic boot will occur.
Not all malware announces its arrival, but there usually are subtle hints of an evasion such as these:

  • System running slow due to hidden programs running in the background, like the evasive Bitcoin application or venomous executables of Trojan_Win32_Delf.QCZ.
  • System booting on its own,
  • Browser redirects to unwanted or malicious websites.
  • An assault of alerts or warnings indicating an intrusion, such as the one Trojan_Win32_Delf.QCZ intends to exhibit when it impersonates AV programs you may have installed.
  • Applications not running properly or at all.

At the first hint of an infestation, you really need to act fast. Use aggressive methods to search for and remove all malware off your PC. To catch viruses fortified by a rootkit, you need to use a stealth anti-malware containing an anti-rootkit component. Don't waste time on useless anti-virus or anti-spyware programs that are incapable of searching your system's kernel and safely remove ALL types of malware or ones that do not update definitions around the clock. Some Trojans may mutate often, to oppose combative measures taken by the Internet security community and this could leave you experiencing deja vu each and every time your computer boots up.


15 security vendors flagged this file as malicious.

Anti-Virus Software Detection
Panda Suspicious file
AVG Generic26.BSXU
Fortinet W32/Menti.IPY!tr
Microsoft Backdoor:Win32/Bafruz.B
Antiy-AVL Trojan/Win32.AntiAV.gen
Sophos Troj/Bafruz-B
AntiVir BDS/Bafruz.B.3
BitDefender Trojan.Generic.6794711
eSafe Win32.TRCrypt.Ulpm
Avast Win32:MalOb-IJ [Cryp]
Symantec Trojan.Malcol
F-Prot W32/Agent.JXZ
K7AntiVirus Riskware
McAfee Generic-FABJ!19A418E0400D
CAT-QuickHeal Trojan.AntiAV.omn

Technical Information

Screenshots & Other Imagery

SpyHunter Detects & Remove Win32/Delf.QCZ

File System Details

Win32/Delf.QCZ creates the following file(s):
# File Name MD5 Detection Count
1 services32.exe 19a418e0400d554dda9b54520bdf52b4 33

Registry Details

Win32/Delf.QCZ creates the following registry entry or registry entries:
Registry key

Site Disclaimer is not associated, affiliated, sponsored or owned by the malware creators or distributors mentioned on this article. This article should NOT be mistaken or confused in being associated in any way with the promotion or endorsement of malware. Our intent is to provide information that will educate computer users on how to detect, and ultimately remove, malware from their computer with the help of SpyHunter and/or manual removal instructions provided on this article.

This article is provided "as is" and to be used for educational information purposes only. By following any instructions on this article, you agree to be bound by the disclaimer. We make no guarantees that this article will help you completely remove the malware threats on your computer. Spyware changes regularly; therefore, it is difficult to fully clean an infected machine through manual means.