drops itself using a random file name (such as "xpxnqdv.exe") in the %APPDATA%\Microsoft\Windows folder.
It modifies the following registry entry so that it runs each time you start your PC:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "<random value>" (for example, "B5XWlRZ5/ql2chDjTA")
WIth data: "%AppData%\microsoft\windows\xpxnqdv.exe"
It then runs the legitimate file "<system folder>\rundll32.exe" and injects a thread into it to delete its originally running EXE file.
Before it runs, VirTool:Win32/DelfInject checks your PC for certain security software. If any are found, it stops running.
injects code into "svchost.exe" so it can connect to certain servers and download files. One of the servers that it is known to connect to is "cate<removed>ksys.info".
At the time of this analysis the files are not available for download.
Analysis by Mihai Calota
Alerts from your security software may be the only symptom.